Malware Analysis Report

2024-10-18 23:42

Sample ID 240813-zyc4hswdra
Target 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863
SHA256 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863

Threat Level: Known bad

The file 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 21:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 21:07

Reported

2024-08-13 21:09

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b892d81e5b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\b892d81e5b.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3116 set thread context of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 set thread context of 2164 N/A C:\Users\Admin\1000037002\d88b586c75.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\b0cf8055f1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\d88b586c75.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1020 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1020 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3172 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe
PID 3172 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe
PID 3172 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe
PID 3116 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3116 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3116 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3116 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3116 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3116 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3116 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3116 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3116 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3116 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3116 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3116 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3116 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3172 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d88b586c75.exe
PID 3172 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d88b586c75.exe
PID 3172 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d88b586c75.exe
PID 4060 wrote to memory of 2164 N/A C:\Users\Admin\1000037002\d88b586c75.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 2164 N/A C:\Users\Admin\1000037002\d88b586c75.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 2164 N/A C:\Users\Admin\1000037002\d88b586c75.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 2164 N/A C:\Users\Admin\1000037002\d88b586c75.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 2164 N/A C:\Users\Admin\1000037002\d88b586c75.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 2164 N/A C:\Users\Admin\1000037002\d88b586c75.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 2164 N/A C:\Users\Admin\1000037002\d88b586c75.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 2164 N/A C:\Users\Admin\1000037002\d88b586c75.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 wrote to memory of 2164 N/A C:\Users\Admin\1000037002\d88b586c75.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3172 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\b0cf8055f1.exe
PID 3172 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\b0cf8055f1.exe
PID 3172 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\b0cf8055f1.exe
PID 4612 wrote to memory of 4332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4612 wrote to memory of 4332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4412 wrote to memory of 4876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe

"C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\d88b586c75.exe

"C:\Users\Admin\1000037002\d88b586c75.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\b0cf8055f1.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\b0cf8055f1.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c6ef72f-4318-42dd-9167-42054568727e} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcfd7d41-1639-40d7-84f8-2783244962e8} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2884 -childID 1 -isForBrowser -prefsHandle 2788 -prefMapHandle 1456 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c1b378a-cacc-45e2-bc41-49aa403563e2} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3804 -childID 2 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e410f823-1072-4124-b4ee-98b07a7d096d} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4524 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4556 -prefMapHandle 4552 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b194cad1-ef64-4288-93ef-4f37b7114411} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 4856 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9b4f017-e5b6-42f6-825e-b8e6d2c3c733} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 4 -isForBrowser -prefsHandle 5692 -prefMapHandle 5688 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {974e4f8d-fd39-47a3-a944-ff30c1ab4779} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5836 -childID 5 -isForBrowser -prefsHandle 5780 -prefMapHandle 5776 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04200812-8999-4014-8b9a-c4b5a88b262b} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6348 -childID 6 -isForBrowser -prefsHandle 6260 -prefMapHandle 6196 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8517620b-b798-4f8b-b89e-2bce3a08a35b} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:54826 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
N/A 127.0.0.1:54833 tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 205.86.155.35.in-addr.arpa udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1020-0-0x00000000006C0000-0x0000000000B72000-memory.dmp

memory/1020-1-0x0000000077D24000-0x0000000077D26000-memory.dmp

memory/1020-2-0x00000000006C1000-0x00000000006EF000-memory.dmp

memory/1020-3-0x00000000006C0000-0x0000000000B72000-memory.dmp

memory/1020-4-0x00000000006C0000-0x0000000000B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 e4b66dca73b9df6e615b29127344497f
SHA1 af8dea556b8bea1fa0abdbca3c743ebc20744288
SHA256 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863
SHA512 77b3edf2bc70da1ccb11a9b8a68c132ca2b42b1bc8a524a7ab1d883c95686adca0afa528610dda1ddce3db4c42920753fe05302b858a6d2851256069e341d83e

memory/3172-18-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/1020-17-0x00000000006C0000-0x0000000000B72000-memory.dmp

memory/3172-20-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-19-0x0000000000DF1000-0x0000000000E1F000-memory.dmp

memory/3172-21-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-22-0x0000000000DF0000-0x00000000012A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\b892d81e5b.exe

MD5 627b7e7a593c56c3952ae9ef80f5af4a
SHA1 7fc9bb380f9efcfd3aa42f9e7b58cdb41530c8d8
SHA256 d89781341164e48965db98c8d05d83046a4d827b197c54108f0b35df9a9942be
SHA512 6a1c77db5de5a7696901846a8c05f188162acc4729cb8a8e76c5a38527e104710e2dfcd38c32fce9421bf31a95e2be96e4e30e3eb2d40c81c892911e15fc05f4

memory/3116-41-0x000000007393E000-0x000000007393F000-memory.dmp

memory/3116-42-0x0000000000EA0000-0x0000000000FD2000-memory.dmp

memory/4612-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4612-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4612-48-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\d88b586c75.exe

MD5 08c4a58bbadc6ca9b4c015f6d73d682f
SHA1 39e3fb93c93a7518e3fac3d5b6bae8fd2d2dc072
SHA256 8e6ceaf7c0ef571561f2ddadfc11ee4519b0d6fae6746e34381e393400c9fbab
SHA512 6b0db9a73bcee0ea9faba522cd1c7250c0bfa307f6c32dc2ecdea8cc0303837ed7b5258a3c7f3120207b49c83d7d1cc50024e4e404db8848ee3a4b5a633672b3

memory/4060-67-0x0000000000D20000-0x0000000000D5A000-memory.dmp

memory/2164-69-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2164-71-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\b0cf8055f1.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/760-87-0x0000000000200000-0x0000000000443000-memory.dmp

memory/760-88-0x0000000000200000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\8f646a82-334c-46ac-94ec-70c0bb202721

MD5 3d690572fb606b01e48c2ee1f0eacac8
SHA1 c4a50bdda64f615ab1ad99d61554a4dc48f0cab4
SHA256 df90b06d8a5d0bc3c7f67a25c193cc8af8fd65179e0c7a7c63d7aa9c2cf19e55
SHA512 1c856d3b3aae932d69aa880ba24a41668c7e9f609cbb0cad859df26ec3d7acfa7aef8d3b1ed11979ad7a830ad68ccd707c2caf1c0bef8e22eb4f9d13a298ba4d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\c08f99e3-9351-495c-95ac-7d66dc54ca34

MD5 661844e45a0b0c6defd937355f5951e8
SHA1 f529bd932cbce823f04eaa0fd442deac7eb6b401
SHA256 6fb70a8d3561100d7614da16715dc13067be725199f82f06ca1f06b5678b63e5
SHA512 6b9593b297f5f04c44262368afb6b6afec5f432cc414ed21db1591eac8d976e8155be88c4cb02c71a355796ca9056faab350d485da98a2d807942988da8d6e0f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\2fd4c81e-b9c5-4732-9ad5-fc025350de52

MD5 6dda0d82f54f12993f7fbd4bc2781305
SHA1 e5be5ab3804eaf057678f39c90e6cd188ee29692
SHA256 a3ec468ff95f7250b47b511c87c12302ef2d59cb2bd6bc714ffe3fe1773f72de
SHA512 98b142c2b716bf0065768c9bb8c1d8acd9f40f2ba16f585e3fd850467e4480d65d306226e9d869aedd7214ce1f2cf1c696250a338faa7b940b02ef704a320269

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

MD5 394173413f36dc731a1b3f07049bb9d8
SHA1 21c7ec9ebaa7fdcafd46a42239c2dff20d496ab5
SHA256 c185de7cdd8ab4f4394f4955d5fc93f954fd91db283f60c6ffe1011c07db9c4f
SHA512 1a75c57553a27e5eb6750186e7285fcf513089876aae1ecd2757beb3c6322d2283540ce77ae6725a18e06ff970f0951a78d8e1c8f3930f3f05687501cd7c003d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin

MD5 2607b0a383606156e22d725564729ce3
SHA1 3e6ccc4fa458f2edbe61f2658da6f181a1eb743f
SHA256 7a0e47effb409d3e1366533ab1056efacca427d9f24584f91a215d634500c36a
SHA512 1da28b4318bffd5675cbfdddae5bf5ddf3d62811d185ec494900b12457227fb490222d12dc732b9b176fac0857d16372e4bde794ab83cf32eddd5e7f896f42e6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs.js

MD5 121ad46b3cf87401bcfac99cfc91e426
SHA1 2b85027d85ff6843d0238eff6e65f7c54d5b3a6d
SHA256 877283fcd45904f2a5ec96d8e7c20839a09ac53d5cda6fa3cc3b99191cb66ca5
SHA512 8f7e47008a522ed3e9d034177f77f9fee0cd42e94325ca23c5ba1bccbbd97fd5166933364073975e05ac108593830af7f3b6f8bd91697780e709481d40228252

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\activity-stream.discovery_stream.json

MD5 088c333cdcecb29515d5af272a94f7f7
SHA1 110baf92d4b92317278dd84c99629d24583d5bee
SHA256 15cd9018af02827a938d4931f2e5a2956a4690461d2a9682def32ea3845452b3
SHA512 50b7cd09835e0f202266c5bfd0a2bab3f1b7c5c374403f00e74a871b584b603fa345f9375ac9f3e27ae81a20e0de038e165066fe9c3db0278ab915e3c200104d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin

MD5 85995fe074f5d964befd79b0fb63f283
SHA1 5e9e80fcb79401baadd35b5822fd946b8fdc80a9
SHA256 fba9cb40fbbea5d5721a16db90afa5833b691bea00d779c094bb9fadd43c3767
SHA512 b9f37ee70e8b23689db7ceb64ea22b79b79425fcbbb4df78b081961a390a02fcb36093e50255299bd2d322a2a3e523e25f24803ac899090f078eede4e59205c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs.js

MD5 b68fadf18b4b03c270b6aa0ada5ce8be
SHA1 b4bc0403220494bfe85da37a47e957932f178cba
SHA256 b8b0a431a83cc6b7895b7f5655da79788c4d0bdf70b323c45a73fd61330fa81c
SHA512 ab81c50f57516c4a4684eb72839f9d5eb5a753ec41f244c1abdf7c5d2ae9987b83a66c6d3ecadfa72d07be15613d5a6ccfe58272e55f979fdbafc5931b38d7e2

memory/3172-427-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-446-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-449-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-454-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-455-0x0000000000DF0000-0x00000000012A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

MD5 cc445cdce0c53785da0a02b4a69cf43c
SHA1 a8d08a462247002540e2622ebffeee1845068dd8
SHA256 17ae02631c7a5757a20bd71abee5eb6f95c4edf407af39b89d237063604b3c67
SHA512 93eec2b244fbd1550239e1561168f0ffd676b6f0c4e02d51e883bf146a50a371fc64c10827a52b8dfcb9faac74a2498c96acdcc59d2f76a3c509f5a77f312316

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

MD5 1a818c28df302138c54b29971a5cf9c7
SHA1 1cbcc34a573488fdba159daa2eba7ff8ed309f3b
SHA256 71348faff9728c7ca51f55fada2253e84cdaf662b64003ffcbae83541a54e298
SHA512 c3c5ea571a4d61ef25cee0a284fc7588f7676ec2538fa55819326f4fbbbc7873800e9121fde574c4f4d89cdaa3bec3c43829118fef40dcd794ad7274e256a785

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 b401c28debac00edb9828154df4c8db1
SHA1 67d2915fa938e9ce473f1babd669e1a7ba425c54
SHA256 13230ec6ac5db777abe8bfe63877dc58a5e8ed5f9341160e1af9a3cb9a313e72
SHA512 0da648e53f03f26b24b3cf06fc7aa27d21670033f228e269c9ba48266acca1526aa2f9edaf4e5fb9adb12b95c7d2aa3f1ea148522634a6ee8bba71a5f2239df4

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

MD5 e4f65bf33d12c50f187147267d61fcb5
SHA1 b9822e283c2756807fe9a0662d1ce68cde670c7e
SHA256 2488fe05df44927dff65457fae52661e260aa86a1225aebf603a5857d5810842
SHA512 5fb8ea2cb0d237836c4bea89f2d53b89853d7e8910f1c270676225544a05e2e2e036a41fd05101b8a9b95a008dc33da593d3474644c6285d94ace5867d6eb5d5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 d9760a41ad4ad677c1b93955e33f1ad5
SHA1 86b0988ff52e50baed93e1524ef96c8fe89810a9
SHA256 e64ad9801b71a921d4c85e1cb9444a0cc2a14cfa114aec3d1236cd518b08eec3
SHA512 bdd329399cd81d062b93d45a8b4c645fe46587d53451b31975a36b8d2351af1af4eef8a178b7ebcc732de3c029177af3c9806e978736bd0d2e52a9d88f9facd2

memory/3172-690-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3164-741-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3164-750-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-1362-0x0000000000DF0000-0x00000000012A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3172-2140-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-2892-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-2895-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-2898-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-2899-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/5528-2901-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/5528-2903-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-2904-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-2905-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-2911-0x0000000000DF0000-0x00000000012A2000-memory.dmp

memory/3172-2912-0x0000000000DF0000-0x00000000012A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 21:07

Reported

2024-08-13 21:09

Platform

win11-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\7b34e08074.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\7b34e08074.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3396 set thread context of 4164 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 set thread context of 2092 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\d88b586c75.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\93cf1ae337.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1800 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1800 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2928 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe
PID 2928 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe
PID 2928 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe
PID 3396 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2928 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\93cf1ae337.exe
PID 2928 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\93cf1ae337.exe
PID 2928 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\93cf1ae337.exe
PID 3200 wrote to memory of 4748 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 4748 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 4748 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 3404 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 3404 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 3404 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 2092 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 2092 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 2092 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 2092 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 2092 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 2092 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 2092 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 2092 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3200 wrote to memory of 2092 N/A C:\Users\Admin\1000037002\93cf1ae337.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2928 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\d88b586c75.exe
PID 2928 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\d88b586c75.exe
PID 2928 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\d88b586c75.exe
PID 4164 wrote to memory of 4124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4164 wrote to memory of 4124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4124 wrote to memory of 2984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4124 wrote to memory of 2984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4124 wrote to memory of 2984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4124 wrote to memory of 2984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4124 wrote to memory of 2984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4124 wrote to memory of 2984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4124 wrote to memory of 2984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4124 wrote to memory of 2984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4124 wrote to memory of 2984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4124 wrote to memory of 2984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4124 wrote to memory of 2984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2984 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe

"C:\Users\Admin\AppData\Local\Temp\5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\93cf1ae337.exe

"C:\Users\Admin\1000037002\93cf1ae337.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\d88b586c75.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\d88b586c75.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27c5cb09-7ae4-464d-a976-567949739393} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc0027ba-747c-4dd7-a2dd-15c8b0cd9331} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3340 -childID 1 -isForBrowser -prefsHandle 3328 -prefMapHandle 3324 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cb16c0d-7003-48f2-b251-c69f1177babf} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3908 -childID 2 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a5f48c7-e7b7-4307-adfd-2b4b20a31c39} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4832 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {636f5bfc-8f31-4521-879f-809257863551} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -childID 3 -isForBrowser -prefsHandle 5604 -prefMapHandle 5588 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5191f53a-6880-46fc-a979-80c10fe1a41c} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 4 -isForBrowser -prefsHandle 5724 -prefMapHandle 5728 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3792bc18-fa79-44bd-b47a-0f3ec6a706b3} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5904 -prefMapHandle 5908 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cabeecec-f121-40d2-a9cb-d7a01a02b6d8} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6248 -childID 6 -isForBrowser -prefsHandle 6188 -prefMapHandle 5748 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b5f6f76-c985-484a-b2e6-697191e2a349} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49894 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com udp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
NL 142.250.179.174:443 accounts.youtube.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
N/A 127.0.0.1:49902 tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
NL 142.250.179.196:443 www.google.com tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
NL 142.250.179.196:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com tcp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/1800-0-0x0000000000050000-0x0000000000502000-memory.dmp

memory/1800-1-0x0000000077176000-0x0000000077178000-memory.dmp

memory/1800-2-0x0000000000051000-0x000000000007F000-memory.dmp

memory/1800-3-0x0000000000050000-0x0000000000502000-memory.dmp

memory/1800-4-0x0000000000050000-0x0000000000502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 e4b66dca73b9df6e615b29127344497f
SHA1 af8dea556b8bea1fa0abdbca3c743ebc20744288
SHA256 5f164e1beaec6a6fff5c31b81e33f82d8d309c148fac664f58644452a08d5863
SHA512 77b3edf2bc70da1ccb11a9b8a68c132ca2b42b1bc8a524a7ab1d883c95686adca0afa528610dda1ddce3db4c42920753fe05302b858a6d2851256069e341d83e

memory/2928-18-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/1800-17-0x0000000000050000-0x0000000000502000-memory.dmp

memory/2928-19-0x0000000000901000-0x000000000092F000-memory.dmp

memory/2928-20-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-21-0x0000000000900000-0x0000000000DB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\7b34e08074.exe

MD5 627b7e7a593c56c3952ae9ef80f5af4a
SHA1 7fc9bb380f9efcfd3aa42f9e7b58cdb41530c8d8
SHA256 d89781341164e48965db98c8d05d83046a4d827b197c54108f0b35df9a9942be
SHA512 6a1c77db5de5a7696901846a8c05f188162acc4729cb8a8e76c5a38527e104710e2dfcd38c32fce9421bf31a95e2be96e4e30e3eb2d40c81c892911e15fc05f4

memory/3396-40-0x0000000072B3E000-0x0000000072B3F000-memory.dmp

memory/3396-41-0x00000000004A0000-0x00000000005D2000-memory.dmp

memory/4164-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4164-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4164-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\93cf1ae337.exe

MD5 08c4a58bbadc6ca9b4c015f6d73d682f
SHA1 39e3fb93c93a7518e3fac3d5b6bae8fd2d2dc072
SHA256 8e6ceaf7c0ef571561f2ddadfc11ee4519b0d6fae6746e34381e393400c9fbab
SHA512 6b0db9a73bcee0ea9faba522cd1c7250c0bfa307f6c32dc2ecdea8cc0303837ed7b5258a3c7f3120207b49c83d7d1cc50024e4e404db8848ee3a4b5a633672b3

memory/3200-66-0x00000000001C0000-0x00000000001FA000-memory.dmp

memory/2092-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2092-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\d88b586c75.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4672-86-0x0000000000A90000-0x0000000000CD3000-memory.dmp

memory/4672-87-0x0000000000A90000-0x0000000000CD3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\caf438ab-e01a-4925-a54f-cf805f7a350e

MD5 529735bc9953f40453dfc4e5fabfe6f4
SHA1 74d49e2e9c77e60613e7c8a70dee75329a0042bf
SHA256 31296fa5d68baa51122f6a5f4281c9700b24b51b15c67a4f480246d2da3f7c9d
SHA512 88f7d1779c4f88d825570eda93a1ad5d8c78e2af5c8c8d7d3e130e4b19bbfbbc3d360b42cbeabb93844bf94257c2f1dd8ccb0f9704c88d4638044016c9997fd5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\9460a954-1cc0-4b82-930d-da33c10200a7

MD5 8f664fa475a45bbf134ea1ee02d59fad
SHA1 b383f073945ef37324b59604d1fc03c19bb02bd2
SHA256 ee6ed94bc2c923822e1a0515b4e9c2be00e992d7d10a9d5c8dd0c5769f85742a
SHA512 844ed3977f412723d5a89bbec0e73cac1f211849ad32d93ae3896626a3f061f96973c99d727497cc88d6c8b61d543f331955b1f01012f6ac8422ad6562ddd806

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\db6cd3c6-9e42-4273-aaf0-19a8e311d157

MD5 456387f47cb0bff20d3da2b2750be348
SHA1 e00882504145cad7d1b223b84a5f43c2aaa970e7
SHA256 e9e8060342105d6dbf188f33d9f1aa8e37642fcb4dbe97537441a19cbcd8e84c
SHA512 ef9474ee2caf53753827b762f34309e2915010af9c5ad3a52f2267a16b4de052028f21167a16f348a5d69f72aa8aad16a437ff4aa5eac691198a32cb8f7b7731

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 20de6445ccab17256002a38da95d38fc
SHA1 110ec6e9388c8f3a3a48647a7433c4df9752e5b9
SHA256 92d12ac3d4cebf184d26ecd92eeb333ae831a55a0cfe678c59a5272d3ac4918d
SHA512 95b356576bc5c6768821e7951af70cfb91abad63c6a335666cf243533f7b0fc4b0a181e4c254c65929399fdab56c9898511cabf52d537fb1148b29badd7529db

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin

MD5 5f0dc1e08ee5bb21768363355dde363a
SHA1 36ced9aeb0fddc63046228b0e7dcc0ae60420b27
SHA256 67141fdf413d2e4a176af9a86dc4341ed74b3619c1e51ae99cf747cf6d9214a1
SHA512 8c48c23cbe490947c8d94678b0207711b785b5e6a73749d029e3063bf7b5cf082a730f85bd67a19b365360446389b74b204b1e65db8695a30d41c8a5eb66af3d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json

MD5 2d604805e41e4e4c785468b8b51f3051
SHA1 ee0a45c798d939d20e86d747b3fb2ef83359fd9f
SHA256 a80dee4ce7c40ac5cfa97ed55f46a82d16ef7395d4a8652afa1a48e969830863
SHA512 6da04f42b5d612e06d06969507eb0a8ed2fd57ef6c2bea3bfdfd9df883b0736a73d05d8e42c07770c76bedfb3a64570d6f1443acd223f1fec446690f387df10e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 fece3212bfa659fe0e21923fe229d2eb
SHA1 b6d4bf7b2df0f961e2cb643f2f5e1a2e89aa4c00
SHA256 c279275e0ff280d37a64445f68e58c4753e7639eace23000c787f0ace6ff899b
SHA512 c1ad93d87cc11b273c3e57b95827e47fc10402788f3c887ac91c6b1758c8237b3b0f6fa2ee4942700cf68519c71d1ab4e3e7754b558b204122d648b84ada509a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin

MD5 12f954baf4fd7072bbf01a2bd3f03a09
SHA1 2904a3ce2b24796fdac41d1c362bf73c52f53c74
SHA256 32a0fc85981b31e4a5e314e1e85c731de018ce790b69a1eb865fcc6e83bcce2f
SHA512 e217be21b4c39689fca7b734922143230d98e6f4ee481a5320a5b7df6b6ffda4785b2a6d604f94e15ee9aae6a3d9f11a65a9045e94a088100688a1a1c4861173

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs.js

MD5 28b65dfc7f0065ccd15d0f599d5d8f53
SHA1 d37f01b5e82d999a84f084457d0b60db35b23aab
SHA256 61dc86507344d986dd487c91f23cf11f8d3ed22d27beff4eec047b4a7d329441
SHA512 e2102fd157d3cf9c50f0340c462303b7317386e7f6a4a8d397e341a785602c824ba9416873096e8cc78ed65e5a95164c00d6aba14f1314e538737433197cb126

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

MD5 19735a9db698961f6062ab2b8a54e9ce
SHA1 12936e2607a36b1ff46053ba133268f93aeb18f3
SHA256 1e63f91841ca1a0a7fce469d8add5ecb14554ab2dda52e19a18ef8f922f2afe3
SHA512 6c83f0c782a02e65734758a612605ba07d23c00c050eb52fe40e8c56d6c74462d9ee4e566582c7f1fa936ce09b04268b0ad3a59c1e8c64821407096ac4e29cbb

memory/2928-452-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-465-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-476-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-477-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-482-0x0000000000900000-0x0000000000DB2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 992a92ebe02350a4cb49837dbd60fae3
SHA1 c7f359ba6bec1b819b5bd3aac525518eadf819ba
SHA256 0c42a7ce970026e7be3a818673177b64440acfbfdb55686373862ee40f98102c
SHA512 e4903517840f97dc2c6c8066fd649651ddfb76aa7d68087ba10a1da9e000697a5059d9a888127b78e8f9f94cd4fbd260ca1662b3e0da00c8efae566fd3d82ccf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

MD5 a6277c3c42a7099b0ca791115dbe3c1d
SHA1 eab8aa844c8051afb7fb5975b9f5ef655f76fa86
SHA256 db6fba099936fe4f9693f4da12a77c586d3f00460a3d1721f298019da5035e9f
SHA512 7149a1ffde0d98170d1f7f472533507f18dea001366810ede7596e7ccf4ecb88adc370b40c9cd133eb2181f85c13df6c12ebb18f20694c5794076c1d1005f06e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 6f37804e0ab462d1139429c35c20d90e
SHA1 45e3112d6c17762d2f4f62a951c26eb7308a0032
SHA256 2048b39d7e14ff969f9d866dbc032c6c5bc34c24307f1072772426492260dbb8
SHA512 e7bbfb8b40797b4fdadbd950f74b4a5213dcd13a2348158ddd838c5653d0c0219b154817deafb9b6276bd70d3fdd608f0b9bf03ec9ae81835bd7a999474b224c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 efd252a37d474cd0a9c4208291c67a3b
SHA1 a0b116a291da46fd449f74b38b78fa902de733af
SHA256 248c789858b0dc63a15d8c95412877f40cfc9486fa11a7be99dd633af90c7b79
SHA512 1be0174a41959f7f9bc13f9a85c07bfe0b00fab05e107117a2d72335bb10bd5c01c7d9b62ad3cbdc3c917f479fe8eb951b8f2981a1bdf448c0d44b45e5148113

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

MD5 c937a3868997cc4c8fa02127789ab437
SHA1 52e24789d5364175f90de8e850e8cb0a34fcb05c
SHA256 ae2ce7116975ff31e7307861b2236df354003eff720a4ca3f96c377965793f4f
SHA512 1b1abad5faef1f01481c1d3dc273b0a76cb014113a651c5fb82ba35ae5d08f2b99477b94048064fe5018dab7abd2626290b114975ee16becbfc7788f93642c1e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 2000a6310f39286a14d1036ee34e31ca
SHA1 9f39732e8088449ff7b614fd065ff544d50ff24c
SHA256 6ae86e3c0ae34b362718ea9b95050f7cb79707975297bb9813db7c2f587fd269
SHA512 c2cd29e1541312a18f149a040b46c1bc744fb3b6c694b86d0b06223cc523df9d99592e6a49e69ea0cc58fb93821c07e67de5534cdeeee919f0b2ddaf382ef1d8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 eafac327a1584b97e8b15b67879b5271
SHA1 bf430cac8de4e39b7c36d1e21fde61c2f5f20bd6
SHA256 247be9e3255ae8f9343ee2de58f0d721f007d84e12b07d909a56ddf94084c362
SHA512 81d998f543b8f329fb43e17deafff9f5cca7da0daab9d56dd89750aaf68fa141e89dc3e3e1b584fb8ee05ebfce5f83c9471c4fafb31c02d74d5954ec29a338e6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin

MD5 7e70464571d23c9cc1880d9f6b8c6f53
SHA1 761638ebdcd42b4a10ec3d865812f141a6c6e628
SHA256 ad3b79f540cd703ac0f66ee5b2ca5bcaa5a1551309c57921007b30504c3f4d4a
SHA512 bc7197fa215a4c24b4f75d28e87b6cf1ad5e77329f8455e75b9f13b74d0f24954f8916fea7e276f2a256c01b26c0a6c06ab59433735f8fc366069e8a2252d7d6

memory/2928-724-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/4724-749-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/4724-758-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-1021-0x0000000000900000-0x0000000000DB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2928-1633-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-2451-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-2771-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-2774-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-2775-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/1928-2777-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/1928-2778-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-2779-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-2780-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-2786-0x0000000000900000-0x0000000000DB2000-memory.dmp

memory/2928-2787-0x0000000000900000-0x0000000000DB2000-memory.dmp