Malware Analysis Report

2024-10-18 23:43

Sample ID 240812-wamq9swekg
Target b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a
SHA256 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a

Threat Level: Known bad

The file b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Identifies Wine through registry keys

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 17:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 17:43

Reported

2024-08-12 17:45

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3d0d5b4ffa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\3d0d5b4ffa.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1236 set thread context of 1288 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4452 set thread context of 4748 N/A C:\Users\Admin\1000037002\464b177d61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\464b177d61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\41d095a501.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4692 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4692 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3440 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe
PID 3440 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe
PID 3440 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe
PID 1236 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1236 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1236 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1236 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1236 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1236 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1236 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1236 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1236 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1236 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3440 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\464b177d61.exe
PID 3440 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\464b177d61.exe
PID 3440 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\464b177d61.exe
PID 4452 wrote to memory of 4748 N/A C:\Users\Admin\1000037002\464b177d61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4452 wrote to memory of 4748 N/A C:\Users\Admin\1000037002\464b177d61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4452 wrote to memory of 4748 N/A C:\Users\Admin\1000037002\464b177d61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4452 wrote to memory of 4748 N/A C:\Users\Admin\1000037002\464b177d61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4452 wrote to memory of 4748 N/A C:\Users\Admin\1000037002\464b177d61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4452 wrote to memory of 4748 N/A C:\Users\Admin\1000037002\464b177d61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4452 wrote to memory of 4748 N/A C:\Users\Admin\1000037002\464b177d61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4452 wrote to memory of 4748 N/A C:\Users\Admin\1000037002\464b177d61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4452 wrote to memory of 4748 N/A C:\Users\Admin\1000037002\464b177d61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3440 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\41d095a501.exe
PID 3440 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\41d095a501.exe
PID 3440 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\41d095a501.exe
PID 1288 wrote to memory of 4804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1288 wrote to memory of 4804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 5116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 5116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 5116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 5116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 5116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 5116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 5116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 5116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 5116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 5116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4804 wrote to memory of 5116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5116 wrote to memory of 4692 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe

"C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\464b177d61.exe

"C:\Users\Admin\1000037002\464b177d61.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\41d095a501.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\41d095a501.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {acec6e0f-d7d3-41d9-8c5e-2b7fc05f5266} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2727b6b3-fa35-4e80-8b0f-7468020b4eed} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2860 -childID 1 -isForBrowser -prefsHandle 2928 -prefMapHandle 2968 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f6f43ea-144a-4245-bfe8-0c8bfa910efe} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3612 -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3676 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80672c42-69ad-4f1d-9360-24669f82cb1d} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4272 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4292 -prefMapHandle 4288 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d466056e-0f3c-45d3-b36f-ec3e30503534} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 3652 -prefMapHandle 5320 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {740620d1-f69f-4329-8d5f-0445951baeac} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5508 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31c110cb-f7ee-4b09-8271-546cc59b6795} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c58a8f3-733d-4bf5-ad73-b2eebe097dfa} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6520 -childID 6 -isForBrowser -prefsHandle 6528 -prefMapHandle 6532 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ba96f55-c6c6-4b03-9f67-c696393b4f0d} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
N/A 127.0.0.1:64386 tcp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.110.239.44.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
N/A 127.0.0.1:64395 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 38.132.217.172.in-addr.arpa udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4692-0-0x0000000000250000-0x0000000000706000-memory.dmp

memory/4692-1-0x0000000077594000-0x0000000077596000-memory.dmp

memory/4692-2-0x0000000000251000-0x000000000027F000-memory.dmp

memory/4692-3-0x0000000000250000-0x0000000000706000-memory.dmp

memory/4692-4-0x0000000000250000-0x0000000000706000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 0400d0f91db9d1a2cb7806b94b23be8a
SHA1 ec696470fcffb473ebdb5586d00a86bebb38be2c
SHA256 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a
SHA512 4053c07ff80f6d9044f241b9848071ed039a5df9472144f3a0da235fec6eb83871a6bd8b859a347205934ddc531c9cb83aa746aa1d439ff39d68ab9a5af2164a

memory/4692-16-0x0000000000250000-0x0000000000706000-memory.dmp

memory/3440-18-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3440-19-0x0000000000AB1000-0x0000000000ADF000-memory.dmp

memory/3440-20-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3440-21-0x0000000000AB0000-0x0000000000F66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe

MD5 71dbe4bb236cc85e0eca13bbbeddc3be
SHA1 134f1402299e1e3ddaad05989875725cfbe71763
SHA256 65ef9eb886fbf27227211f2e8d9a5266adbe3206e00835b1b9018ea79c4816a2
SHA512 c208e1ceda249822b608ab23c58d17202d1b4d0be2d451398b0b0f20eae0ce15fadd5e943047048d133dfb53107a2a710673c7e0d7baead559e305cf3381f86d

memory/3440-40-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/1236-41-0x00000000731AE000-0x00000000731AF000-memory.dmp

memory/1236-42-0x0000000000310000-0x0000000000440000-memory.dmp

memory/1288-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1288-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1288-46-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\464b177d61.exe

MD5 fff78902d667ae5d4d5e6eca47703322
SHA1 aee23060c9cd8dad8afa9227d5f03b89fb18357f
SHA256 a823ed8e9c412d6d62fa3ad5742054f38b81175dca7604439a8ed06abd55a8aa
SHA512 ecf897f6885f71b4af40a85ed29ddc800f32f056d299357c7c50c62a8d670583592ecaea5bbcb9e6c2ca6d9dfcadfab81dc159e8e5d060ddd4fb918367e80176

memory/4452-67-0x0000000000C80000-0x0000000000CB8000-memory.dmp

memory/4748-69-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4748-71-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\41d095a501.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/684-87-0x0000000000EA0000-0x00000000010E3000-memory.dmp

memory/684-88-0x0000000000EA0000-0x00000000010E3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\74e450c5-54fd-4f3a-aea5-30f59c63a103

MD5 2abf9e286c2c6cd455fa02ff408fb8c8
SHA1 0dc7a6404940f483b1299e538bd75131f46c1244
SHA256 67cee6cc44ae5c8c7c50c9ebff3e9bd1afbd7f55f2662861615fec5eab177219
SHA512 3a6a9c43a941b14c45803f2dfc61dc332ae778f68644f0e8a7c68b4a82a4a98c6cd8e4b752e42ebf09876d42c2ce687d9d5ef4a7447f2901f8661be6e3d36d2c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\4db0a51a-38f7-48e8-ba04-bc1ece5fa3af

MD5 64004ead1cba9b3f90373edb82824fad
SHA1 ae8c5506ded24e7f2d6c1c9cadb15d962d53a810
SHA256 f37590f0b550b021ea06275c3ad122a8689feb47338bbbfa323a10288b98093d
SHA512 bf50962e22f6eeab82b6c12b8f2ada615a606d6439d9cdf99608237b6637390af053393a1d52ed6cf934059fad94af5bc428684d27d466925ca401c9d4f59d79

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\4b47700f-fe43-4c65-9811-0e43eaef8b34

MD5 f045aabc1282d117b86f949a68533531
SHA1 a9b81f683173d8b15bb1a1f69b62fcade87ffd7e
SHA256 079e9fb9a03a97181e1b39858b6fa86bed0054dd5b315ab11953a9bf7328590b
SHA512 74369e8bf9a3b9dcfe2a45bcb44d09b4a006e85ffd60197d4c055d1fc6eb87b93140dbefdb410f5202c30acb77ef44082471ff86d655d5e3042a185d266a4d5c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 ec10ff63d88cd990760ae2e48dd4beb0
SHA1 2bc6a55d81632c7dbb0884b6ae001a3918f75211
SHA256 71da4fba5bcc18441f5ce06de16c5c739a8c9aaca0493c8e62a7d6437c0d21f2
SHA512 d968f0a13759f2b07ad0f9862161af76a0d4375f7496a9e3f30472f5456b79786d9f5da2d3ae2d144ffa52e5c9abf1bc85c9b41314e4906818c009cba6ad9e45

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

MD5 f5a375801101efe7988f506278d586be
SHA1 fa3bc4134e40e4c0f72a5215183d129b242c3634
SHA256 41085c2402f4a4749c3b55559a3349d6bd7e46a114c7564747377c043f41a0bd
SHA512 5ca09a4e7378c758cd8b8d6b0c573414f984fb04cf977f397cdd1baf47313c0aa6560ca212d559406bcf75e3fdad847a4f37abb3ce3bc68b8d5715dc9a72a6c7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 d428ca3acd1667c8ff6712c090b4a568
SHA1 2b2619013950cfbde2b301543025073f67994844
SHA256 1869650b2c5dd8ec8609d14b1d2942481d145511ae882d785584e07914fa04c2
SHA512 ddec8c83a59e7d2b4121c22c49cd13f9e15dca43c58daa146c42483e1f0da9ce66c763a6bf9ea26d99079f800d87dd2508d577870daea45b51ba75a057ba3d28

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 5704a7ef101873d66376b567a703be11
SHA1 8fbc56b2d794d5cd0713d8046a7fb5f72520bdac
SHA256 d797b677b070eae2e5e61b61312588c43c8fc3bda8682242d944a45c87744d32
SHA512 e9c0c46e014bc32076ea6b0943da508f796b1b2949f2c94aa9b2157cebe9fc0e54c679e2214459ef02cf24f8359eaa0c6da3f07dbc77bdc8c81db88b80433518

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 012b82d5ffffbfef1dd2c283deed5a11
SHA1 db699149b0ce552d8a5870831d1231d8db59a1ee
SHA256 4522da224e06747193f5d291cb95a38edc43c752a68a1c2b056e24e30470ed8a
SHA512 4df614dfac59166cb799f965854e8fe1ee2a8fdcad30cccb4c53770f6bc054f6c6a3d23df6b161c7e2bca4b340cfae77d7f363ebf7dfcef6a1fedd65da196705

memory/3440-433-0x0000000000AB0000-0x0000000000F66000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 ef7e650a41634c16a93dbe46adfdd9d2
SHA1 549023482684eb10a99fdfafcd31b14338108271
SHA256 76735853b23b3e3eaea03500ccb8ec215d0c647f1e6eb8d8fa5899163aeb40d7
SHA512 3350727bc0b0f214ae1d9d34ea2afa7dc6395f4888c5640bf0e941d61b152e4e0fadfe6e89a3c70d7d3e090e710c06c760f1516987f22f1c3368784c3b4f5a50

memory/3440-447-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3440-456-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3440-465-0x0000000000AB0000-0x0000000000F66000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 071229094ffa5a98840b1f5f6dce9bfc
SHA1 3cf9404e08d284836ca31586e99162b480d0235a
SHA256 be56b7dd560687857706b1ae5014ccad8c04fac2ce8e062bb2353c12ad072881
SHA512 4324b2d73df2d03f1b83c32cb1b8494cfb695e3573084e3ae6c146448983a7cdf441bef04be14ce023baa7258d076f6500b1383aad52e037d39e97cbabe51a43

memory/3440-488-0x0000000000AB0000-0x0000000000F66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 8447760b3fc834ada193f524e813a587
SHA1 65a110914c932a762bae5b6199540e85366641a1
SHA256 9c140b731f0a5967b2d9cd4e694f625221332c273391ed7261e0d379a2a074da
SHA512 5f37e01acd17dfb1eda2c211b91dcd2f1d1e92968e054d04e8e10b33856b8bfce6be370efa314538eca8897074294327241880f9372cbc041de8c3f7cf52bc36

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 66862bcc0a1e692057d7aa6d17815403
SHA1 629d1311f876814ad9d53e6a64212aa8201a693f
SHA256 04a0064aeb46a299d43ea7622cb88c493ac8cfaba3cf13a98d947b2674f5e7ad
SHA512 e9dd1d552d16a97a67c96b9e33e676b7bd7c9e0a1f8eace3bb8f3e9820c7d0c31a268e3de9103b4f0bed2e3ec567bb643a55cf01d6d0bfa023e4840653cf08a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 f16af117bee2094478561dff033c9129
SHA1 f03cd847c5c8d96d791e6db123f43f137482a5fc
SHA256 ae7c57417bef45106a2cd08acc2048411accab65cf12abe171b24fdbb9325754
SHA512 9a1cbb0f0b24620263ea571c8c53549365f5993bcbdc6c2b9b994089baa9001682f760576049e02957aaa905d9a71594253bfbc16df167728e12830e05e0dc73

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 50ea1dee88ff5f7e5e89b4f67d4dc292
SHA1 c95dc712b58101c31741231a4e599fb36d662423
SHA256 b96cdb6cfb8ed34e506e442c1ee80c34a329550b88aa8a5f0340f6ef0bafda12
SHA512 aebc6b763267fa169f71c3e8cb0a249b59fd197c81791311916c32777758a953715faf719b04de32782d3c0008fe228978dc1cf1e2fb736b44fa5e19b8e073e1

memory/2780-701-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/2780-709-0x0000000000AB0000-0x0000000000F66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 2006dadb8739105cf977593bb0c592fd
SHA1 066d3743663446dde6c7b86ed5d0da5e68df3757
SHA256 8812ea4da2178daada1020c74c43d777360e5cd0537966fb617c30914fbe33f3
SHA512 48c8ea5b1ef0497e01ef47034ef4a1f3db1946f86597fb650f7b490ab0fbfbfb9ec3805bc58f5f41309d26d090476ff886b87959acd145e43a75993d7e9e30f7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3440-1451-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3440-2650-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3440-2668-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3440-2675-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3440-2676-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3440-2677-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3036-2679-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3036-2680-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3440-2681-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3440-2682-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3440-2683-0x0000000000AB0000-0x0000000000F66000-memory.dmp

memory/3440-2689-0x0000000000AB0000-0x0000000000F66000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 17:43

Reported

2024-08-12 17:45

Platform

win11-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b56157048.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\8b56157048.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1624 set thread context of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 set thread context of 2464 N/A C:\Users\Admin\1000037002\41d095a501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\70e74b7d23.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\41d095a501.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5068 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5068 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1712 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe
PID 1712 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe
PID 1712 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe
PID 1624 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\41d095a501.exe
PID 1712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\41d095a501.exe
PID 1712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\41d095a501.exe
PID 2772 wrote to memory of 2464 N/A C:\Users\Admin\1000037002\41d095a501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2464 N/A C:\Users\Admin\1000037002\41d095a501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2464 N/A C:\Users\Admin\1000037002\41d095a501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2464 N/A C:\Users\Admin\1000037002\41d095a501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2464 N/A C:\Users\Admin\1000037002\41d095a501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2464 N/A C:\Users\Admin\1000037002\41d095a501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2464 N/A C:\Users\Admin\1000037002\41d095a501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2464 N/A C:\Users\Admin\1000037002\41d095a501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2464 N/A C:\Users\Admin\1000037002\41d095a501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1712 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\70e74b7d23.exe
PID 1712 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\70e74b7d23.exe
PID 1712 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\70e74b7d23.exe
PID 2352 wrote to memory of 2412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2352 wrote to memory of 2412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2412 wrote to memory of 396 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2412 wrote to memory of 396 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2412 wrote to memory of 396 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2412 wrote to memory of 396 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2412 wrote to memory of 396 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2412 wrote to memory of 396 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2412 wrote to memory of 396 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2412 wrote to memory of 396 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2412 wrote to memory of 396 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2412 wrote to memory of 396 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2412 wrote to memory of 396 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 396 wrote to memory of 1952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe

"C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\41d095a501.exe

"C:\Users\Admin\1000037002\41d095a501.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\70e74b7d23.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\70e74b7d23.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f95f06b6-bf6b-4a59-a8fc-466fae33208f} 396 "\\.\pipe\gecko-crash-server-pipe.396" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe892c60-baf4-409a-86ed-d7d78abec3b4} 396 "\\.\pipe\gecko-crash-server-pipe.396" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3048 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46fdc9a3-134d-48c1-8a1b-4f5030952b64} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3624 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49931685-0e56-4a11-be3b-813d669ada8e} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4648 -prefMapHandle 4692 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a5b5ca6-bf45-4e23-b2b1-6a442d4548d6} 396 "\\.\pipe\gecko-crash-server-pipe.396" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 3 -isForBrowser -prefsHandle 5480 -prefMapHandle 5608 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aea62460-9feb-4475-8131-0cf6ce817ffb} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5684 -prefMapHandle 5584 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16a62b2f-443f-4ca0-a21c-e3889275f5b8} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5988 -childID 5 -isForBrowser -prefsHandle 5996 -prefMapHandle 6000 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6139cbcb-ff99-4a5b-acad-9f064b8e2f84} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6188 -childID 6 -isForBrowser -prefsHandle 6196 -prefMapHandle 6200 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a877a951-fc71-4798-8726-f21d600628fe} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
N/A 127.0.0.1:49917 tcp
N/A 127.0.0.1:49924 tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com tcp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 35.190.72.216:443 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
RU 185.215.113.19:80 185.215.113.19 tcp

Files

memory/5068-0-0x0000000000420000-0x00000000008D6000-memory.dmp

memory/5068-1-0x0000000077156000-0x0000000077158000-memory.dmp

memory/5068-2-0x0000000000421000-0x000000000044F000-memory.dmp

memory/5068-3-0x0000000000420000-0x00000000008D6000-memory.dmp

memory/5068-4-0x0000000000420000-0x00000000008D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 0400d0f91db9d1a2cb7806b94b23be8a
SHA1 ec696470fcffb473ebdb5586d00a86bebb38be2c
SHA256 b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a
SHA512 4053c07ff80f6d9044f241b9848071ed039a5df9472144f3a0da235fec6eb83871a6bd8b859a347205934ddc531c9cb83aa746aa1d439ff39d68ab9a5af2164a

memory/5068-17-0x0000000000420000-0x00000000008D6000-memory.dmp

memory/1712-18-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/1712-19-0x0000000000941000-0x000000000096F000-memory.dmp

memory/1712-20-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/1712-21-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/1712-22-0x0000000000940000-0x0000000000DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\8b56157048.exe

MD5 71dbe4bb236cc85e0eca13bbbeddc3be
SHA1 134f1402299e1e3ddaad05989875725cfbe71763
SHA256 65ef9eb886fbf27227211f2e8d9a5266adbe3206e00835b1b9018ea79c4816a2
SHA512 c208e1ceda249822b608ab23c58d17202d1b4d0be2d451398b0b0f20eae0ce15fadd5e943047048d133dfb53107a2a710673c7e0d7baead559e305cf3381f86d

memory/1624-41-0x0000000072B1E000-0x0000000072B1F000-memory.dmp

memory/1624-42-0x0000000000670000-0x00000000007A0000-memory.dmp

memory/2352-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2352-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2352-48-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\41d095a501.exe

MD5 fff78902d667ae5d4d5e6eca47703322
SHA1 aee23060c9cd8dad8afa9227d5f03b89fb18357f
SHA256 a823ed8e9c412d6d62fa3ad5742054f38b81175dca7604439a8ed06abd55a8aa
SHA512 ecf897f6885f71b4af40a85ed29ddc800f32f056d299357c7c50c62a8d670583592ecaea5bbcb9e6c2ca6d9dfcadfab81dc159e8e5d060ddd4fb918367e80176

memory/2772-67-0x0000000000D50000-0x0000000000D88000-memory.dmp

memory/2464-69-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2464-71-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\70e74b7d23.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1572-87-0x0000000000A40000-0x0000000000C83000-memory.dmp

memory/1572-88-0x0000000000A40000-0x0000000000C83000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\ddf44aa7-f928-41a9-a774-ba9b2cffa9c4

MD5 83b1067d6dff178d1170ff55d94dad4d
SHA1 71ae1092a6c92774fb14babc502aa01ec2432ab3
SHA256 df63907fc5bfc3bd84ca405f3716bc3a4040888f13bb71f065c8a58da32e31aa
SHA512 1b0d5a4fbf0d4996a9105e8e38cbe9785d5642d398bb48297fecbcbcd8dcf9de809d669f2a490b520515962f1145ed31a69c63584bdc4049a2ca958a1887df45

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\e97d4c56-5048-4d5f-8d02-002a4bec533e

MD5 803d2893096d1087554d15bea3d7cfd9
SHA1 6147500f6ddf30a4873a30a6b927f6cb45606954
SHA256 712420565d2d8f5c77841fd7d9224c58c22a1e4f43583ef15728b4315c8b3218
SHA512 c3f163bb5d0d62ed1064b4f0a4fde8817435b66ee5df754216e896188da9ffd6b3445ca6eba656b24ceca18f9e22a94535d91bad8ca01ea9c079f1f998dffad4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\916c662b-1be8-4e9d-905b-4f6a517fd13e

MD5 66551a2e4fbca1675b7ab7c92bfa5d8a
SHA1 4ab9e0b6a789a9bf65f43068a5eaa5ec76b86672
SHA256 4f6ef13a1db8ee355b8a4b9173f3d46fb92fdcddae4094ab3da94a762027b43e
SHA512 3cc01c84056c33e4a875acff8f54600afc5c2d9ac782605ef18bdb5c50b015dcd7ada9da6dbea5060e85dca427dc68d735058bc204e01df070611f18d2be78a3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp

MD5 d1bba225b3376d407b1de1763e41eec8
SHA1 5e12cf50cadc72811b7b36af4fe83bf2a828a957
SHA256 4959fe2ba78068a4ee4bed1cb9ef1c4cead5c7a79181f04af66582dbc6b3ba7c
SHA512 975c98d2e321e599dcb3c1b3198b7e864e7250d20ee4d175b192189e57abbe8495604352cec161510cef2840ade5a29b859df8731dcb5b745ee2f76b5a931896

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\activity-stream.discovery_stream.json

MD5 407406b0a93a5e0aaf747307ca197c3b
SHA1 cb8354c28f4565c6e56a895368c12d60bec0ddc9
SHA256 58b951f49a8a66ca2dfd5c499b5117991a96077a5e121c06675907114e548aa2
SHA512 e3f9ca5a74ecd4f09ac0a3b59d6dc8b132cbbd2699889aab552f0bfed8fe7f9b50256ac5faf93d543bbc829f1c46c0ec07eca74687ab4f8961a76e1ff87f7541

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin

MD5 9ddaa0e703c2da7ddc057a4a1ae6f701
SHA1 8c361c70a0ef341af87b7d14a7df5e9b9378bf8a
SHA256 c5538987be4442408f3faec44319f0e9d82e658d26470d40599241e455bb9893
SHA512 2704f88fed00b5e116b7a9dfa236c6efa93d58b9b6748d266f7c406c67b8df2adcb321ef4003c146a66fe1741725ec786c2546a02c06dfd5de70167edde1acbd

memory/1712-361-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/1712-422-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/1712-423-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/1712-439-0x0000000000940000-0x0000000000DF6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp

MD5 d3bfd24d8238d109e1ef37d8d8733bec
SHA1 32b14ee6790ca48f16c3faf2ef6797bdc32d691e
SHA256 cfa100ce91a11161a3d7104e84936fd14b9fe44805865196bc4f05b0a901b8bd
SHA512 409918ed212b1d54b8b93dedfaf4e148e691d4b882e10f4ce1c42676f64e84725178c2dbce903c8b8aa3506145e635284bd20aae519837eedb8dbb7a67f4a13e

memory/1712-452-0x0000000000940000-0x0000000000DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 e6ade15a926c43a298f47112997c86ed
SHA1 641f60fda0b6bdccc3fbcf863aadeb04360962ee
SHA256 61ae1bec626ff37fd5b0e77154b9755af8608d7b453448e8d79de02746366ce7
SHA512 8c653f3f21aa6257b5ad1d91c34ccf7c6744e8e42e7836c31d3f976e06e49d33a8531ceff9a0083f1d17ed9d108122a8236ff7dc06599677131451200589e79d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs-1.js

MD5 7e683f523fd49d5fd662d7d954653e0d
SHA1 5ce68bed31a90e1aa635cd97a3b44b7acff9a847
SHA256 8a75fb014c9bce5ece346f356280433ae04f1293aa90cace1dae229e7faccfaa
SHA512 34aa3cb3c3b275bd02c5ececeb557b72b757e776da192863a286fff1293eb7b49d6e7dc01ae0961b9a05283eeccd088ecb327a3a235ec4dff488bba0cb7e1902

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 444259ef7373f6541e633bcee20035a9
SHA1 0fdec5dd89b256481c6508e46fbad447f9546c61
SHA256 5991e3019fc0cf2813e7b57b9015d83502f9dfb12dedb95f6955e8cf09aec608
SHA512 d54b6ef920e141068953ef67209e6e56d40c26d3ad0cc2c01ca23e5b10bcacfa12c1ef5716b0ae2a91a5af0512eb3e9b2bede50ac6830e6190baa9fb048e112a

memory/1672-655-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/1672-667-0x0000000000940000-0x0000000000DF6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs-1.js

MD5 9eecde16b696b8d59ea2a418a2161adf
SHA1 d13c88459c1459d58a4310de880ec3dce132a755
SHA256 799504ffa61d0f4b081ec97f6072200a29f3ca2e93fab92dfd7322e3e318703b
SHA512 cef0a481af73d096581f36aa80c5ac86b890798c0440b79085e7ae0d1b1a3cb5c2f6d6ad5e9ed56378f8c3b50a4c7a6abc16ad618690c20d8ed949fec3942b8a

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/1712-1565-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/1712-2577-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/1712-2578-0x0000000000940000-0x0000000000DF6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin

MD5 d0da64ab3fcbd68821cd44f88cbc0904
SHA1 d69a41f5eb154ddda7a4bb666c70b704a2649164
SHA256 0871e000e324fbbafa13a8b04b63491038e8a2565c8aac82405abeb86866ee12
SHA512 3a305ea9ff91ae3ff6861eca1babcd6cb604d32d731f4b693ac535c81758a055978d58ad613be185d1f9dd7d4b785bef426afd5edb04caa28cc7bc16a53158c9

memory/1712-2586-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/1712-2592-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/4928-2594-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/4928-2595-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/4928-2596-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/4928-2597-0x0000000000940000-0x0000000000DF6000-memory.dmp

memory/4928-2603-0x0000000000940000-0x0000000000DF6000-memory.dmp