Malware Analysis Report

2024-10-18 23:40

Sample ID 240813-elbdyatblg
Target dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c
SHA256 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c

Threat Level: Known bad

The file dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 04:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 04:01

Reported

2024-08-13 04:03

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4540b9f84e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\4540b9f84e.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2604 set thread context of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3960 set thread context of 4784 N/A C:\Users\Admin\1000037002\9706fcd865.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\9706fcd865.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\d4f7c40209.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1156 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1156 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1156 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2204 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe
PID 2204 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe
PID 2204 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe
PID 2604 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2204 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\9706fcd865.exe
PID 2204 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\9706fcd865.exe
PID 2204 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\9706fcd865.exe
PID 3960 wrote to memory of 4784 N/A C:\Users\Admin\1000037002\9706fcd865.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3960 wrote to memory of 4784 N/A C:\Users\Admin\1000037002\9706fcd865.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3960 wrote to memory of 4784 N/A C:\Users\Admin\1000037002\9706fcd865.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3960 wrote to memory of 4784 N/A C:\Users\Admin\1000037002\9706fcd865.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3960 wrote to memory of 4784 N/A C:\Users\Admin\1000037002\9706fcd865.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3960 wrote to memory of 4784 N/A C:\Users\Admin\1000037002\9706fcd865.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3960 wrote to memory of 4784 N/A C:\Users\Admin\1000037002\9706fcd865.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3960 wrote to memory of 4784 N/A C:\Users\Admin\1000037002\9706fcd865.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3960 wrote to memory of 4784 N/A C:\Users\Admin\1000037002\9706fcd865.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 696 wrote to memory of 4920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 696 wrote to memory of 4920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe

"C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\9706fcd865.exe

"C:\Users\Admin\1000037002\9706fcd865.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abb5ad8b-5324-4e8e-91d3-5c728ee4abdd} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f56a527-898e-45a0-8ae8-a54bc1e3f469} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2740 -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3152 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f072bf1c-1fc3-40c5-9f46-f2c596f4c637} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3680 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c776dfda-d536-4358-b3a2-577b3c1f468a} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab

C:\Users\Admin\AppData\Local\Temp\1000038001\d4f7c40209.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\d4f7c40209.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4296 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4324 -prefMapHandle 4316 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e52317dd-b9b0-4728-b7f6-258238194d56} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 5380 -prefMapHandle 5376 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77ae3a8e-8dce-4d8e-9d74-2ff8e23a5f60} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5528 -prefMapHandle 5532 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1b29046-f24c-40f6-99f0-db811578d667} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5724 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {533ffc38-daa9-4aba-9b63-66d0d5bb0267} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6316 -childID 6 -isForBrowser -prefsHandle 6228 -prefMapHandle 6240 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c69dd901-2177-4d18-b279-6927a168f35d} 3384 "\\.\pipe\gecko-crash-server-pipe.3384" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:54791 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
RU 185.215.113.100:80 185.215.113.100 tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:54798 tcp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 139.54.240.44.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1156-0-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/1156-1-0x0000000077D34000-0x0000000077D36000-memory.dmp

memory/1156-2-0x0000000000CF1000-0x0000000000D1F000-memory.dmp

memory/1156-3-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/1156-4-0x0000000000CF0000-0x00000000011A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f04b3373ae5c6188c50c1dc9cbb47d5f
SHA1 ffcfbcbb82ad2785140e8c9e15437caae75f5e51
SHA256 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c
SHA512 61e76dafff39ee952d66c606b890f771d1a88a5e5fa4ab812f465936da5470bbde90f5f408dafbd75d419622bd170a1d9fe4661df5b545d0e546f80609bf95b7

memory/2204-17-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/1156-18-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/2204-19-0x0000000000501000-0x000000000052F000-memory.dmp

memory/2204-20-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-21-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-22-0x0000000000500000-0x00000000009B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\4540b9f84e.exe

MD5 0268fe10bef3ec38e53e6a393558b6ce
SHA1 9ab70efc9284b4a0bb4dd3f816e5070c2c8f6fd0
SHA256 4f3605d6a7478c3de5bec04d779793e16c141d0f377f2246d1007f843268c31b
SHA512 4357851b65a41c5a3d22ad9b864f163dcaba290bf11d306589dca65cead0ae7d336c732120582bcec1e6b5b9f9f201d5488b75b8966cc9a076bb9d55af1ebbb4

memory/2604-41-0x000000007394E000-0x000000007394F000-memory.dmp

memory/2604-42-0x00000000007A0000-0x00000000008D0000-memory.dmp

memory/696-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/696-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/696-48-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\9706fcd865.exe

MD5 493ca2c6a90f04fb410bc18dfd958f53
SHA1 73482091cc88709902cc09aa8b164c9268b6e9cc
SHA256 b7fc4aa9feba9ee8c2307ec6d55b9010b9e8d2a50b2949dcd02cb6f6c3f7eece
SHA512 41f4a31c9dcda2816e93b7fc259f3546439bc6eedc5e02aef46eb91b960b6132af6c4bd2f6f5c9fe0b19f2083d45ba9620a15ea72a0abdaeabc527831bbc2b82

memory/3960-67-0x0000000000810000-0x0000000000848000-memory.dmp

memory/4784-69-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4784-71-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\d4f7c40209.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\92e2d086-9eb1-46eb-b2ed-1d08f873b89e

MD5 ebcb01d8996c2016440c2a67b8a1c2f9
SHA1 79b8abe81bea73dd6170c14ad20fe926c497c56d
SHA256 9e33a9f743436f991af31b11fb9454f1727fb8a1aa9140b0948fff5448d1f6e8
SHA512 d261a1496406e63b5b16fe33476fb262225d170e63ad8f05e0eb3abf2c056859b129ef96463cb6bdcf5b597a79d3355957bcb84608d619ad7f07d6ef55859b6a

memory/2936-294-0x0000000000590000-0x00000000007D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\a67532c0-bcc0-47ac-b4f5-e1299904c335

MD5 710a9ed7a71d386fbe4da395811d997e
SHA1 4bc0c2cf577776b98a2e8b81337e56658cae63f3
SHA256 8c20ec51dc01a7acb6acca7ddc25bb9be8646403247b640ec2f5979bfd07d7c6
SHA512 3d19ee3b50d9217ab9b3396f478b9833e1ff7c0c8eb7064ce3c9ef0442f24445b9bad5a5fb4a79d51e660f0b7d12a9397677c9278fd5ac3808ac153588429e45

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\606bed6b-78db-4e97-b48b-db2e16088cfb

MD5 be75f6bf8e72c756ed113d58bf134153
SHA1 a83af50bcd9be46942599773ee4def5ba79e78fc
SHA256 7b5c53981ab0e23d499d0c32e6a5cdaff2606d58d92a5d54d1b45bdfcb2654f6
SHA512 7c256adfb67b29637752d0f3f3cca0cd185de516994e46862ea022d8d4d30ffba57f0bc90212b9172bb639755ef8bba3e605165ae74a10d8d7d760c2e23aad92

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 2f2869fba349258385c2f20920225f8c
SHA1 d464d1a31ef64140d7006fce357584205edf4c28
SHA256 1384f3a7543c4cd4b4072bc42c79a46c7d080dbf7a4b1031c3de8859865c6782
SHA512 be75d202ecc52a1b6422ae6583aed4f33961f47bacc0bfa05701b046ad5eb1793698027e195040c361c7808a0a3686813a39f41dc059c9feb3fbc3e090c799ac

memory/2936-344-0x0000000000590000-0x00000000007D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 90fee4e5cda9fea897c27dc3b5656210
SHA1 4a73dbf8db7a98e1a7662ca64d2774e160e0e75a
SHA256 b561b785ef42c6139653c801c5e03ebd32ec69e7d15de6c44407cbccbc1e7451
SHA512 49c10374d7c4513513c58947ced46584fe5a77903e36e0e3dea3c971eb86061cdff191dd8e9bc94de38c60c27f5fadc43ace1d1d4491b89c4b52ebda36716459

memory/2204-392-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-436-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-439-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-446-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-447-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-454-0x0000000000500000-0x00000000009B4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 90f238a24f5e2dbbc0b8d7effa273273
SHA1 5ce9d162201f079af2b9e6f610f2bdefed9a8aec
SHA256 8b1440ab28efec731898f8ef3a89f7b24b47194fbfbb33baa5fbe57e42a88e40
SHA512 acc8d417f9e7f23d134f4400511bb78d2910158cb1d184a4d31ea452986e63e8a51b9fcc55e93fd1134d248dcea288fb68f297e99ae715920c1e22fc3788048d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 8ab61edb804fb7c7489d0dfb8acf4d52
SHA1 8e95556894ffedc924e17cb38c3afd6fc11ebe8e
SHA256 e3b12671878d0a1b26fd687cc85a15bbd897e3d0e0c5b1ff43ae62ec39c0c9eb
SHA512 8f1eca52286ec9fbab5aa049389f6d7d640bb50e3b7973eef83a41be81f1e7aa85662dfafd565a97c622b304e9c5f0e1816d4ca1be51315a6cd02ebc8a2fefba

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 22b93bb4b5a5ec6fe9aea8c39e0a2c1e
SHA1 5f326d76769a4f9e6df42bd577e946e381649010
SHA256 22a19ed6fa05279ceaf5b1fb022af28597bdb610f89e8aec8389e30b7557a891
SHA512 94335961bd2a74da25f515f48cc1aed68939a9473604713f2caabf6b25038cb0e8cb27da2db111d64a28c686f3250d9462a6deed6bc246c7a90f8d9354ade2b6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 97fee50395e793d1395391596f6ae518
SHA1 e32a9386624634689eb0dabf6bc547e20eb77933
SHA256 3aff9ccea4d38404fef73a573cf93911e5915ac60fe857a74956f088edfce530
SHA512 9431dcdf6b6262a418143dc2dfebe559c4eb1f3ea5774e96ebf3a92d2db97d7c3c05baf20edddab96cfbb07f6869a889dc050dff87fe453b5d21735538db58b2

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 aeabbc822505332d02b049b9d1c70b05
SHA1 4e357d673e5facf2e38999b50c6013f024814905
SHA256 bc23e3c8f614b27d585230833387296229411a8663ca62c2b84645bc03ef56b8
SHA512 4dd616c786845b5c108de117d005ecf76231c87b21191b9017799310fe7d50f104af42ae2a51a6679592245b7726e83264890ac86cf4b3796020769b53625963

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 9f2a47d2c847e2d3d3c5a0ea93f4c5bf
SHA1 8f5258b5794df32f72fd17483ac9ac5dcfe5dbfe
SHA256 43900d218982984fbef6c6eab04430979ce8cc0c8402a9656d02e5851ca8c227
SHA512 dded8eef9be8cb88618f240c3f9e507814d298af6fb4aced6f4d61835e7e812116babfaf1a6bef689176024c0bae4365255654ec9cf0235e0f60a3ea6d8b7bea

memory/3044-752-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/3044-754-0x0000000000500000-0x00000000009B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\sessionstore-backups\recovery.baklz4

MD5 db9114a1e8a5d62ee85db281bd5f44fc
SHA1 8612f03d39fc02a5faab263bb900d7bf46b72734
SHA256 b61d59ce353f589f4d97c12f1b73e24dfe1c55449ff6af6bdd172ff6548041d8
SHA512 cb104703957571e34311c3557478a1ae96b97e4ee8c2765c3175745629d50ba3611f446ec648bf968d242fc02cb092823c45f11d0d713fc38a386de3f134e88e

memory/2204-924-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-1595-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-2551-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-2685-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-2689-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-2690-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/1104-2692-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/1104-2693-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-2694-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-2695-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-2696-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-2702-0x0000000000500000-0x00000000009B4000-memory.dmp

memory/2204-2703-0x0000000000500000-0x00000000009B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 04:01

Reported

2024-08-13 04:03

Platform

win11-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\eb13fa022d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\eb13fa022d.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4340 set thread context of 112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 set thread context of 2596 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\b33c5d8cee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\9706fcd865.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3532 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3532 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2984 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe
PID 2984 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe
PID 2984 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe
PID 4340 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4340 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2984 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b33c5d8cee.exe
PID 2984 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b33c5d8cee.exe
PID 2984 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b33c5d8cee.exe
PID 2684 wrote to memory of 5064 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 5064 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 5064 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 788 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 788 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 788 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 2976 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 2976 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 2976 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 2596 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 2596 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 2596 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 2596 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 2596 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 2596 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 2596 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 2596 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2684 wrote to memory of 2596 N/A C:\Users\Admin\1000037002\b33c5d8cee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2984 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\9706fcd865.exe
PID 2984 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\9706fcd865.exe
PID 2984 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\9706fcd865.exe
PID 112 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 112 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5032 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5032 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5032 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5032 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5032 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5032 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5032 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5032 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5032 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5032 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5032 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3412 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3412 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3412 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3412 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3412 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe

"C:\Users\Admin\AppData\Local\Temp\dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\b33c5d8cee.exe

"C:\Users\Admin\1000037002\b33c5d8cee.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\9706fcd865.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\9706fcd865.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1872 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {929f08ee-1245-4cb1-9690-9af83f530423} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68ded11c-5c70-4ba6-8904-3a7a65b8d1a9} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3108 -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 2848 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c74b63d-0c22-41ac-87ed-4263e333f4e4} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3424 -childID 2 -isForBrowser -prefsHandle 3444 -prefMapHandle 3440 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab64fc25-0d4a-4ee7-904b-fc95c38a5bd8} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4708 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4696 -prefMapHandle 4620 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cefc595-060d-4896-89ce-3b544ae9821a} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5356 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04f99c56-b80b-42dc-8305-1021f980a6fd} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adb8d153-1bb8-4c4e-8bbe-adf11e39046e} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 5 -isForBrowser -prefsHandle 5644 -prefMapHandle 5652 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aac0ec77-9b86-4fa7-8d28-6e77d93f90a4} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5844 -childID 6 -isForBrowser -prefsHandle 6196 -prefMapHandle 5356 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2152e614-af34-4ffe-b3a4-a99f5d97a9c8} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49844 tcp
N/A 127.0.0.1:49851 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
NL 142.250.179.174:443 accounts.youtube.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.179.174:443 accounts.youtube.com udp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com udp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
NL 142.250.179.174:443 accounts.youtube.com tcp
NL 142.250.179.174:443 accounts.youtube.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/3532-0-0x0000000000330000-0x00000000007E4000-memory.dmp

memory/3532-1-0x0000000077546000-0x0000000077548000-memory.dmp

memory/3532-2-0x0000000000331000-0x000000000035F000-memory.dmp

memory/3532-3-0x0000000000330000-0x00000000007E4000-memory.dmp

memory/3532-5-0x0000000000330000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f04b3373ae5c6188c50c1dc9cbb47d5f
SHA1 ffcfbcbb82ad2785140e8c9e15437caae75f5e51
SHA256 dd98b4b383278ba555167eafe975d259bd492bc9f3df33231b358fb5f4bb0d1c
SHA512 61e76dafff39ee952d66c606b890f771d1a88a5e5fa4ab812f465936da5470bbde90f5f408dafbd75d419622bd170a1d9fe4661df5b545d0e546f80609bf95b7

memory/2984-18-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/3532-17-0x0000000000330000-0x00000000007E4000-memory.dmp

memory/2984-19-0x0000000000411000-0x000000000043F000-memory.dmp

memory/2984-20-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-21-0x0000000000410000-0x00000000008C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\eb13fa022d.exe

MD5 0268fe10bef3ec38e53e6a393558b6ce
SHA1 9ab70efc9284b4a0bb4dd3f816e5070c2c8f6fd0
SHA256 4f3605d6a7478c3de5bec04d779793e16c141d0f377f2246d1007f843268c31b
SHA512 4357851b65a41c5a3d22ad9b864f163dcaba290bf11d306589dca65cead0ae7d336c732120582bcec1e6b5b9f9f201d5488b75b8966cc9a076bb9d55af1ebbb4

memory/4340-40-0x0000000072F0E000-0x0000000072F0F000-memory.dmp

memory/4340-41-0x0000000000220000-0x0000000000350000-memory.dmp

memory/112-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/112-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/112-46-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\b33c5d8cee.exe

MD5 493ca2c6a90f04fb410bc18dfd958f53
SHA1 73482091cc88709902cc09aa8b164c9268b6e9cc
SHA256 b7fc4aa9feba9ee8c2307ec6d55b9010b9e8d2a50b2949dcd02cb6f6c3f7eece
SHA512 41f4a31c9dcda2816e93b7fc259f3546439bc6eedc5e02aef46eb91b960b6132af6c4bd2f6f5c9fe0b19f2083d45ba9620a15ea72a0abdaeabc527831bbc2b82

memory/2684-66-0x0000000000120000-0x0000000000158000-memory.dmp

memory/2596-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2596-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\9706fcd865.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2232-86-0x0000000000190000-0x00000000003D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\5d3403fd-2f59-43bf-8e82-131af7f102b9

MD5 f5cf45b559008cf86d45156c25956725
SHA1 651ff50173ad1a188491a341c43f40d00875cdab
SHA256 4ce3fe1fbb922f4b054a3661a76fa1465bcfdea92b6dcbbb08ff0072d6f2529c
SHA512 77c599fe94468ac5138e3cf00f176c3b4eb35fc15771e6c6a7c96bfe860701ccd2bce25cafd019b8bbba8bc3f0b1a9ac00ea7e994b4ef85582e151d6d349eb67

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\6fbfdaad-3a2d-46f5-8fec-3d6dbd5e4284

MD5 c35b732f522387febca327e8c2ffbd75
SHA1 bef884a7aaf2e72b0dcc34a57f29a6c115a29707
SHA256 b33c6e5ec1f39b65c2159ad2f1d65ba2fb774bdecab36dcd1469ee8027415542
SHA512 292f86554ea2901f3844c559d80485e30138c14911e2911fcbfa2c8ebe397a246370ca46ab9085bf9b2810580bbd8a7b3693a15c0a43fe5945a627a5321075d5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\0a20aacd-ff15-4df0-b612-f1e05336245c

MD5 c06a5fdc8828eb0ed0e7110a7eafd4a5
SHA1 7bcaf6b8bf7393264331cd3d804b11a5d245f16b
SHA256 486f9d46062ff3462b73c6ff414e854a8f4e3fbef9fbc1d9631c0233f4a54704
SHA512 9e32da2a9d34644ee85b4c8b4a8ba068275374ba168c5ada4b265d07434ddb47f4bc19d730d19c51f2359bee7948f4b56d3f799d080dd5f797cda6207f6a8ad4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

MD5 845d2fe338e523fddb8270138a9ca1c0
SHA1 d414a5e77c098d079b9f3ac529d5e3cf69767c28
SHA256 6d93b1141e94e7e4f4c16f8021e05cf5454db3d68346876b2299d258c90adcd7
SHA512 d1d68e26984e06ce27f0b342ee32772437c10997d32fc6ee5e5aab16165924ac090207bf5c737527f6003ab6bc739f2a61fbe605b436d5e100c2f82c51770fda

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

MD5 4c3d423ded2a8e6cbb939f4220a701f9
SHA1 76e36a59ead842c4243223a89b5833b53d5a6037
SHA256 04e138cb36074381dc616d78d0ac67ede4c03c146d03df667f63ca2a15ecc669
SHA512 4761e740156749c1be3870339921008ad3d5e038713b82ea3ec20979e75ce0a0a5945bc3e4174398f1c698d46e81e9a9202ee5e6ed0be50422b001bd3869bb5c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js

MD5 8a9758646a228fedce2b286b2b3327c4
SHA1 ae53f6029906d4d2d612c7baee94cde443359249
SHA256 8626cafd5d0ad4c99fc0eee25c0fcc8ed4c784e84f8a4cd38b047a0597874228
SHA512 100b2703b396c2854eb1235e26166e002439a4d3c1eb24881861b76edcfd7ac20b744f331de27db6ecea2e20a3aac690ced8e19527534bb795e40da315a0d707

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js

MD5 bfe3fb495b224d54f71b0cd3333a24ba
SHA1 1a4963eac39bcf40d87d49f695a574c0bc00733e
SHA256 fe0ea4214b15b45e64957b3090b4bb52ceaffb78824fb03e98c67ff45f87564e
SHA512 ea935570e782fb199e782bb5b5c5e3a9f7421cae38ff8fcd0373bd6f3d3112a6687a7cd9975b6d5f8fd10b98e4cef62f5275ae2de35c61bdb660cdf0407006d0

memory/2232-366-0x0000000000190000-0x00000000003D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin

MD5 b8639500e0ffdf63dc329c2a478c527f
SHA1 52e0a47b58c894cfaaea631baf991c7a804c7b48
SHA256 10704a8b77a8fc93e099a04626ea925a0ceca168f73eb6b9e8ccdc7a4d6aa8a6
SHA512 167855d91de771c8aac798f19b9edf3286b1d5ca6e2834438fc1a381a0669ac475dada1ddc3a9ab18e2254e43fdc11f5581b57ea687c8575836fcc3f939e0de1

memory/2984-393-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-444-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-445-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-446-0x0000000000410000-0x00000000008C4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

MD5 caedd66953a43e4b56fa284d9826b281
SHA1 5a062f98637f6bc55bf2b1e780e3f44ae09f85b4
SHA256 beecc591da60e7f642cea0ad2ab584ace2d10ae8497249f87529370f6345bd24
SHA512 93a77c7310d40de1ec9fda0f4313b9626799d1704b0f2f8337ea5bda66120aa373f8272fe28fee821818b9e7c45312b1743757212ac0a8d70241693ce9e3bb6d

memory/2984-461-0x0000000000410000-0x00000000008C4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs-1.js

MD5 2dadf97c8b4d3d23fac178d608e072f2
SHA1 6d0aa4fb561340737f7d1748f1ebb4b51969cab3
SHA256 0245abc27c6f39b9fb5d97f3d65ad33baad8632c0694b6ccfeee8e30fe4a1601
SHA512 449bb684e25ccf944307201c63b3ddced492e919aa3a90cfc5fa4ee04ad3f0a9e9491dc9a31ad4cf6b838f8946aea312efa143aa466f3919a126d400481af770

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 0b7e3e65337a2ef80e12f03ecf96814d
SHA1 eb6709e5a1a851f5e43b5762b4f3716214ba71e9
SHA256 42830639538170ecd1ea1960a683b040c9d7f8c3e180cfd53c9ad99938eb316b
SHA512 b7b813fe0f2095f48c65316dbc1b660a0c0e7d2cf8dc2569979857f6654c40af73190e02494e201d2918f04676e6339d8bc44f8aa9c0d155c00857cb8bec985d

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 2fd11d8fa84fa82416ffbf245a849a7e
SHA1 176a6aa71fce2eaa4415f9ae73bac24367f03d62
SHA256 8afb421d76564c2d048853ed489efbd34810acdf638d989731e6904cdfb154b4
SHA512 e7fda7d33f72cfe8e72d85dfb6f2c1ddd1c1dead6706de31526dad542d0f4d1eb0b34feb821d0913720506b73837eae30982467112e85feda206789e0f7b08f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs-1.js

MD5 1d84498ada7ab0b58cc10a13f36e9b5a
SHA1 1c5f021b39bd5e05f0a95aaee423064f2ce51be3
SHA256 2e143718be331b2a2e43317ab6d69e824fa0293e4da51b8d18748afecf1db8ba
SHA512 60d4f49ad7cecf7ae21740819faa823643294bb7b7a9f3eabbdf24afccb0f9d5377d82005361be517f75ccd647f218159020280f3e60dd5e9f65f6475cee6d1b

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

MD5 bb8a258374df5e78e43bd3d6165096af
SHA1 5d5193038a23f3459f037a379b6489407091fe89
SHA256 0ce66e0920cfea972f42af6abc1ea974c082cf5878adffdabc35191e2d09459d
SHA512 2393b9781ed2c0ca1d4d32402343071eb045d33e3030be40e5a37410bb79d5c478e53fb17cdc25514d913aa6e1ec9bc0c99c4676a23eb4e102b8718633e4419d

memory/2292-831-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2292-833-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-896-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-1776-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-2645-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-2699-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-2703-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-2704-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-2706-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/4344-2707-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/4344-2709-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-2710-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-2711-0x0000000000410000-0x00000000008C4000-memory.dmp

memory/2984-2717-0x0000000000410000-0x00000000008C4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin

MD5 5841d65064a6843638cbf1e7b53e13e7
SHA1 ea1e7322ce9eff62bf48fdabae83a8967e5b0d7d
SHA256 1d4ae6c13f5f35f867b703e9d47b457cf5fb09ade2a4633eabd2a9d2582016d5
SHA512 683da6e6b8b06514ffcb475a993593fe2b94c4b19b6bb1bd94d8d2442d86cb92db4531b1ae438646f0ccc0504c95e3e26273263a52d260f1ce767916b8b8f5f1

memory/2984-2722-0x0000000000410000-0x00000000008C4000-memory.dmp