Malware Analysis Report

2024-10-18 23:41

Sample ID 240814-c2afgaveqd
Target 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f
SHA256 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f

Threat Level: Known bad

The file 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan spyware

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Reads data files stored by FTP clients

Identifies Wine through registry keys

Loads dropped DLL

Checks computer location settings

Unsecured Credentials: Credentials In Files

Checks BIOS information in registry

Reads user/profile data of web browsers

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 02:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 02:33

Reported

2024-08-14 02:36

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8fe311e5a2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\8fe311e5a2.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3992 set thread context of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2080 set thread context of 2012 N/A C:\Users\Admin\1000037002\7dd822c344.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\048e239034.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\7dd822c344.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3032 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3032 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1944 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe
PID 1944 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe
PID 1944 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe
PID 3992 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1944 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\7dd822c344.exe
PID 1944 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\7dd822c344.exe
PID 1944 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\7dd822c344.exe
PID 2080 wrote to memory of 2228 N/A C:\Users\Admin\1000037002\7dd822c344.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2080 wrote to memory of 2228 N/A C:\Users\Admin\1000037002\7dd822c344.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2080 wrote to memory of 2228 N/A C:\Users\Admin\1000037002\7dd822c344.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2080 wrote to memory of 2012 N/A C:\Users\Admin\1000037002\7dd822c344.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2080 wrote to memory of 2012 N/A C:\Users\Admin\1000037002\7dd822c344.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2080 wrote to memory of 2012 N/A C:\Users\Admin\1000037002\7dd822c344.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2080 wrote to memory of 2012 N/A C:\Users\Admin\1000037002\7dd822c344.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2080 wrote to memory of 2012 N/A C:\Users\Admin\1000037002\7dd822c344.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2080 wrote to memory of 2012 N/A C:\Users\Admin\1000037002\7dd822c344.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2080 wrote to memory of 2012 N/A C:\Users\Admin\1000037002\7dd822c344.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2080 wrote to memory of 2012 N/A C:\Users\Admin\1000037002\7dd822c344.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2080 wrote to memory of 2012 N/A C:\Users\Admin\1000037002\7dd822c344.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1944 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\048e239034.exe
PID 1944 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\048e239034.exe
PID 1944 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\048e239034.exe
PID 4140 wrote to memory of 740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4140 wrote to memory of 740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 740 wrote to memory of 2628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 740 wrote to memory of 2628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 740 wrote to memory of 2628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 740 wrote to memory of 2628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 740 wrote to memory of 2628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 740 wrote to memory of 2628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 740 wrote to memory of 2628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 740 wrote to memory of 2628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 740 wrote to memory of 2628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 740 wrote to memory of 2628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 740 wrote to memory of 2628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2628 wrote to memory of 4924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe

"C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\7dd822c344.exe

"C:\Users\Admin\1000037002\7dd822c344.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\048e239034.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\048e239034.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf143da-4b5a-42f5-96bc-86eb78e22efc} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2376 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f5288d8-a037-4528-8a0e-945140890909} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3344 -childID 1 -isForBrowser -prefsHandle 1416 -prefMapHandle 2604 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {327dff68-c94a-4fd8-8770-37c03682c35d} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3276 -childID 2 -isForBrowser -prefsHandle 3752 -prefMapHandle 3748 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1a3ce74-5f3f-4ed2-9893-38bcb2b363e2} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4872 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4864 -prefMapHandle 4860 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {163d84e9-0eb8-456a-8b68-b55dfa0a0ac4} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 3 -isForBrowser -prefsHandle 5584 -prefMapHandle 5532 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71a9466b-0eb4-4a78-930e-3b5d1814674e} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 4 -isForBrowser -prefsHandle 5712 -prefMapHandle 5720 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68f4f68e-9d7c-4021-a9b5-9f956b5fcfd8} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6016 -childID 5 -isForBrowser -prefsHandle 5932 -prefMapHandle 5936 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fcb8807-8de8-41a4-a558-f831f44d3120} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6120 -childID 6 -isForBrowser -prefsHandle 6128 -prefMapHandle 6136 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec34e08a-ea55-4bd3-baba-2758def7e9fe} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:51968 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 139.54.240.44.in-addr.arpa udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 172.217.20.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 172.217.20.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 174.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 127.0.0.1:51976 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 41.187.194.173.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3032-0-0x00000000001B0000-0x0000000000665000-memory.dmp

memory/3032-1-0x0000000077424000-0x0000000077426000-memory.dmp

memory/3032-2-0x00000000001B1000-0x00000000001DF000-memory.dmp

memory/3032-3-0x00000000001B0000-0x0000000000665000-memory.dmp

memory/3032-5-0x00000000001B0000-0x0000000000665000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 48c24a152ce98431b83006650bc02fc8
SHA1 d76713abc3ba7c3fbe823fbefc49d30484ea6ad9
SHA256 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f
SHA512 35296079dcf7a710a3aeda4e5eca0cb6998f2f1253da50a7393fa42ff26a98ee36d2ba79fbd0c0c513db2bd0c7958d29a4e7ddd70d58b27080c2fa17492147fb

memory/3032-17-0x00000000001B0000-0x0000000000665000-memory.dmp

memory/1944-18-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-20-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-19-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-21-0x0000000000130000-0x00000000005E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\8fe311e5a2.exe

MD5 8af76706f6ecb73d3ed8680a5e2cdc0f
SHA1 3668dbf5a57164102d1b0adea941316fa55f47fc
SHA256 922c12d506652b85601064eb571333ef395c88e201acfd6f2a4b69ee13eae5f9
SHA512 ea7f1cd1b32705e3f80a0f050ca9630505604343099e787fb57aa5cdcfee1b75218eb252519e6854ad368513e4af0756256ae7443c8dae93c9cd08829aeab3cd

memory/3992-40-0x000000007303E000-0x000000007303F000-memory.dmp

memory/3992-41-0x00000000002B0000-0x00000000003E2000-memory.dmp

memory/4140-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4140-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4140-45-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\7dd822c344.exe

MD5 2b845ae9efa4fee06f704f96b9828fdd
SHA1 c3ebc546d88d08c19fb65ba086d153aae2fe46fe
SHA256 da122348356834ca10d6bf9efa9cf352ba2db2e851699f981753e126cae9e508
SHA512 7f1631de67e75bf5b8e08f33b7d3c5cc07b843b48ae8fc40b36cf9698538fca79f2b1cb496d2018a4d93459cc6b83d2cd3d052b1d72997694fa6221547de85c3

memory/2080-66-0x0000000000250000-0x000000000028A000-memory.dmp

memory/2012-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2012-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\048e239034.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4832-86-0x0000000000E00000-0x0000000001043000-memory.dmp

memory/4832-87-0x0000000000E00000-0x0000000001043000-memory.dmp

memory/1928-89-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1928-91-0x0000000000130000-0x00000000005E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\a00c5435-683c-4aba-b46c-4accc7cb12ad

MD5 8e54ac017ecdc241c21e821308385334
SHA1 1c5797caa4d2a5c1d35f0d7ac6cbfe100bb76082
SHA256 409d64d0a2446af71773ecf25505a9f71ec68183a34a2586e41d5e441afef87f
SHA512 2d5fb20d75fe95b6a120b21f3d06ec65d92ff77261299660e93e9e3376fc33baaca75023456c90682e731c0ababec5906983e17762d633cd3e5f97248b9bdd26

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\64c704f8-3f82-429e-a653-5c5f85458463

MD5 ef607567b9a2d687c0456f9e05207df2
SHA1 ba26f2340f3207024159f0408ef37673ee7c3a6e
SHA256 cbca9299324f8ee40e5488aa59775beacd35d3ae6e7977bb72bbe5af0379e665
SHA512 75125171dd32fbb2e5803bac468e5afb468b9d8c397d359d784b8da29ff2cd4fbaa02be7ab5987c67a9645ac9efbb018f35a6be13a7fa4907e7edea40f4068a1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 77a168465b3e3a3e181977262fb5935e
SHA1 82ac3117c1b722bf5f7bfe4f41594177a69be8b0
SHA256 1d9589b37b312f7e7db97443e4c8f3720b358fa13a5fc9f7d2d288f0cc5b91bc
SHA512 bef94c569af740769de11cedbd27190a0816d2cfeda4cfb2d6cb0dc9ab362f198bf687b3e18978834ecd3311e167147e1534da46939d1ea815c08ec58860fd2a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 44972857816f057defc1991c6a808db7
SHA1 b66887538f9784f0190cd1ac4c70ab8e59981342
SHA256 58d7370b595bf3e57180be1784dc6a644026de5f1f76f006b6595afe6d4a9273
SHA512 ee2cbc85083323dd51c74f5e1c888e6db7999671ff54bde9e21e25276e7182a53c0c7982afc86868146eb816c56e80fa9bbb18f4446f86347a8fc7674f3f2466

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json

MD5 3da92ffdf29f0bb696b5904bdec2a24a
SHA1 44ba9a67551c3bae54390a2c044a50be55699797
SHA256 02ce1558068fb0e66c8e7d0c4261d9cf766ffde438d0b0deb54fe9f9846a41af
SHA512 6cc241c9d53ece621fdfe15ad6b8eb029289941384bd8644cdb1f1e6f0e3fd3450e5c5d7c60682646782d8a82bfce55996f706106e2b5bcab13b1bbc07ba0a25

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 cfff79e0532a9464c1a3d5a5c666414b
SHA1 8c69dea435f86e3abae6f636b8401522177bd295
SHA256 35a0327d42e768ca08521d0c9e303c4e75141bfe2024f479b637726d726a5c4e
SHA512 3ad032911c287cabbc2c4caf2e38fb013653f04519699345aaa0c6de85ec8f0536dffb88b4f59da66993bdd0b65801d613bd6a0b257038c7908930ff75f924d3

memory/1944-395-0x0000000000130000-0x00000000005E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

MD5 c7e96def6fc1dd58acb34e5cc7bf527c
SHA1 4f62ec35664cde5eddb8c22e2ff7b7d535387ca6
SHA256 13a7cc3a0d056cdb307c6672193caab1bef418c816724f61f74eb010f2261c81
SHA512 15949055f0e6ec6ae97855dfd7ba09958cbb0cff229abdd7bef14cca9688c880597401e77044331f5342706efeabbd66eaf8a09b873f410bf0945e00cf1f5cad

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 f00f53d57745f26f19e6e2119d514926
SHA1 5a8385a6f87c40d2da8e19c56372cc9ddf38b1c6
SHA256 59b1bc316d9c5c7fff9d36d9a9e920ae92b8a41bab75068793de31bc7ebd8f61
SHA512 b007764c22c9e7e5f0f49ddf44311dcfe7ef487b0ca8c72449ea3a3704b6cbcc58199f34f2f9ebc0013e1dac40ab6003e80e022d1775fd6b1f415a2c2e91856b

memory/1944-427-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-438-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-439-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-440-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-445-0x0000000000130000-0x00000000005E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 691e003c5feda10e7d33d6477d1cda26
SHA1 24d8a0e8ff718f4d1e957f0fb7220f40fbb6b3c9
SHA256 010e6ca104fd293bd505a849f0c64590ff04b19ebdef2337924ef039855e5cfb
SHA512 fba4d94d1c546521cb7e137f91e82274cd765f4bace7518e6234c8324976ffe8883055e38ba8b52d30f5719fc932f78fd10ee1dd69ac3c6785ac15c00c6a8a91

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 b5bbfc39be5ee3c7f6ee96c15f0fdfb3
SHA1 188eb0d45b6d5c1371a5a47a2b18087285e7c76a
SHA256 ef298c646b38603836aa115c4420a8beeda6530f9dd1df470763f1380084243c
SHA512 12737b70539e445f7a91da4096cac0012fed4395fa0ac674fe846d15546d2001cc44e6f981e584fb5d8c3af6b5cc6e3e0ffde9b6c676bd49005866f75c575021

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 3f5da7069fc1f0e5d8d756e9218078b7
SHA1 5bbc2aa69a188a0c572bbee627da5dcac52bf41d
SHA256 9fe199a898e48fe85c235e40745467264b7a4655ee5d45a2f6912bde64bcf069
SHA512 59573cfd7845382966711f168060b250e9899d7fda7ee82f9cdb306045d49f1203b00fd2e8f60080be11c1b75e994d913a324331032fa266ffdc8036b619d0c9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 0ba3d9b2aa32c3c4b297f88af8f8f218
SHA1 4d727d50a80fae5fa95cef87dc3efde880282b35
SHA256 340a9cae1deab8c6de5dbe4d653e4d5d52f2b5d7c8f0cb18d956a7397c96f036
SHA512 2d6bbcbbac7e2240429a47955101cdf79d7cea4c2811a2cb28a4f6bd86bbe92b9ae51d78a0dc96e9a7a354a2d564498bf73d1cc5ba8e21401e1472fd8c568622

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 da4196141486f422b0b781dd07192e3d
SHA1 b85bdd05a3ebeeb910a3d4f10f79fb2e3f92261e
SHA256 6dafc3d4d7757d994f03befffe6cd4335a1b35cb7529559c2a283aae9ce4ff85
SHA512 2133a7548011b3c0ff11bd00e91ce728e15c031664425cb57fd32281388b97cf3fb5ea550e71a8ac8b1cbb88669a8db15632dcc08ea169e4dd630de7026210fa

memory/1944-1472-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-2624-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-2627-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/5956-2631-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/5956-2632-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-2636-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-2638-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-2639-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-2640-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-2641-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-2642-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1428-2644-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1428-2645-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-2646-0x0000000000130000-0x00000000005E5000-memory.dmp

memory/1944-2652-0x0000000000130000-0x00000000005E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 02:33

Reported

2024-08-14 02:36

Platform

win11-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\e739d7e3e8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e739d7e3e8.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3748 set thread context of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5084 set thread context of 940 N/A C:\Users\Admin\1000037002\72353cd75e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\72353cd75e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\e806b8991f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2664 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2664 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4948 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe
PID 4948 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe
PID 4948 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe
PID 3748 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3748 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4948 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\72353cd75e.exe
PID 4948 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\72353cd75e.exe
PID 4948 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\72353cd75e.exe
PID 5084 wrote to memory of 940 N/A C:\Users\Admin\1000037002\72353cd75e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5084 wrote to memory of 940 N/A C:\Users\Admin\1000037002\72353cd75e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5084 wrote to memory of 940 N/A C:\Users\Admin\1000037002\72353cd75e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5084 wrote to memory of 940 N/A C:\Users\Admin\1000037002\72353cd75e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5084 wrote to memory of 940 N/A C:\Users\Admin\1000037002\72353cd75e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5084 wrote to memory of 940 N/A C:\Users\Admin\1000037002\72353cd75e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5084 wrote to memory of 940 N/A C:\Users\Admin\1000037002\72353cd75e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5084 wrote to memory of 940 N/A C:\Users\Admin\1000037002\72353cd75e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5084 wrote to memory of 940 N/A C:\Users\Admin\1000037002\72353cd75e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4948 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\e806b8991f.exe
PID 4948 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\e806b8991f.exe
PID 4948 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\e806b8991f.exe
PID 2992 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2992 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1804 wrote to memory of 2596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1804 wrote to memory of 2596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1804 wrote to memory of 2596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1804 wrote to memory of 2596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1804 wrote to memory of 2596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1804 wrote to memory of 2596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1804 wrote to memory of 2596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1804 wrote to memory of 2596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1804 wrote to memory of 2596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1804 wrote to memory of 2596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1804 wrote to memory of 2596 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 4048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe

"C:\Users\Admin\AppData\Local\Temp\284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\72353cd75e.exe

"C:\Users\Admin\1000037002\72353cd75e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\e806b8991f.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\e806b8991f.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2559a9b-bdb0-4ad9-a785-6d793f975726} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecd797ab-eed8-415d-bdee-6d11099d75f2} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3024 -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 3060 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4413f9e1-deba-45bb-89a1-5a1b1ec407b7} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4124 -childID 2 -isForBrowser -prefsHandle 4116 -prefMapHandle 4112 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fd52be4-79da-4498-86d4-7597a79e3f7a} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4976 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4852 -prefMapHandle 4972 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9891c3f0-f463-4718-9580-7743dc0746d9} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" utility

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 3 -isForBrowser -prefsHandle 5532 -prefMapHandle 5488 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {baf8f874-53d6-4692-be81-fdac7b4b9be7} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 4 -isForBrowser -prefsHandle 5532 -prefMapHandle 5488 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fff4d9ba-9652-4855-96ba-dea0a0fa43ae} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5944 -childID 5 -isForBrowser -prefsHandle 5952 -prefMapHandle 5956 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {143f97c5-add2-4696-bad4-eecbdd4afd39} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6132 -childID 6 -isForBrowser -prefsHandle 6140 -prefMapHandle 6148 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {433e9818-88db-4f79-a4d0-807bfba26619} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 108.177.127.84:443 accounts.google.com udp
N/A 127.0.0.1:49867 tcp
FR 172.217.20.174:443 www3.l.google.com tcp
FR 172.217.20.174:443 www3.l.google.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com udp
N/A 127.0.0.1:49875 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
FR 142.250.201.174:443 play.google.com udp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/2664-0-0x0000000000D30000-0x00000000011E5000-memory.dmp

memory/2664-1-0x0000000077A46000-0x0000000077A48000-memory.dmp

memory/2664-2-0x0000000000D31000-0x0000000000D5F000-memory.dmp

memory/2664-3-0x0000000000D30000-0x00000000011E5000-memory.dmp

memory/2664-5-0x0000000000D30000-0x00000000011E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 48c24a152ce98431b83006650bc02fc8
SHA1 d76713abc3ba7c3fbe823fbefc49d30484ea6ad9
SHA256 284c72735b95b18cf111d5c5178bb7565d2f4d4d36ca6573f88dd0598b58425f
SHA512 35296079dcf7a710a3aeda4e5eca0cb6998f2f1253da50a7393fa42ff26a98ee36d2ba79fbd0c0c513db2bd0c7958d29a4e7ddd70d58b27080c2fa17492147fb

memory/4948-17-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/2664-16-0x0000000000D30000-0x00000000011E5000-memory.dmp

memory/4948-19-0x0000000000FE1000-0x000000000100F000-memory.dmp

memory/4948-20-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-21-0x0000000000FE0000-0x0000000001495000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\e739d7e3e8.exe

MD5 8af76706f6ecb73d3ed8680a5e2cdc0f
SHA1 3668dbf5a57164102d1b0adea941316fa55f47fc
SHA256 922c12d506652b85601064eb571333ef395c88e201acfd6f2a4b69ee13eae5f9
SHA512 ea7f1cd1b32705e3f80a0f050ca9630505604343099e787fb57aa5cdcfee1b75218eb252519e6854ad368513e4af0756256ae7443c8dae93c9cd08829aeab3cd

memory/3748-40-0x000000007340E000-0x000000007340F000-memory.dmp

memory/3748-41-0x0000000000E30000-0x0000000000F62000-memory.dmp

memory/2992-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2992-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2992-45-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\72353cd75e.exe

MD5 2b845ae9efa4fee06f704f96b9828fdd
SHA1 c3ebc546d88d08c19fb65ba086d153aae2fe46fe
SHA256 da122348356834ca10d6bf9efa9cf352ba2db2e851699f981753e126cae9e508
SHA512 7f1631de67e75bf5b8e08f33b7d3c5cc07b843b48ae8fc40b36cf9698538fca79f2b1cb496d2018a4d93459cc6b83d2cd3d052b1d72997694fa6221547de85c3

memory/5084-66-0x0000000000F20000-0x0000000000F5A000-memory.dmp

memory/940-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/940-68-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\e806b8991f.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2804-86-0x0000000000460000-0x00000000006A3000-memory.dmp

memory/940-87-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\44ff73d5-ee94-4c05-b82f-6fe196543212

MD5 7a7d1b0f8a19acf4852bddc98341b2d1
SHA1 b9af496737fa3d4839008e1993f2b097ee8e6f93
SHA256 b90ee40c7fd6fa96fd96f060937e12c966d16f197f5c90839959d19453634838
SHA512 540e3e9ef4560610423aa9d18669281846b549d7d04c317311ae033bded46a4d39a06417f18debbbbc04f4552566c7051717097f47c6b8aa9c3238197baa094e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\09601f96-9a8e-4fdc-86b3-282849d4fff4

MD5 d6a47061eab5acc62a5167e2bb731595
SHA1 67ce135d6e2a58a98ed5963f9d437906937ed86b
SHA256 0280335868c4f371fa7233ac4e6a41998bd93147e0f457b494fe1ed37ca4d204
SHA512 d0b93e4d35ebbe5383592724baf8d95f6181f7a96fc9a7918eea655a00a3573fefc5e2d0668d9fa35bdd71d01bbde8ab46ae8180e8787425ab938dcbdbbf7fa8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 5088020ca7a406e2660725717bcab2a4
SHA1 4eea11f62bcf25effff082a402c1debf0cfc3bab
SHA256 3c763e69d1d89728d7b5a131972e5cf1eb50899eba2c305a6fdfb22b062f3afd
SHA512 0fe7587e6155125a1841b3946ec7b53f93afc70d46a85d633e03aefa46bdd0a98e0cf83d0a576ae8fbf21515162da99ecffbcf9c71e15805b84d52d9c5ffd4ff

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\activity-stream.discovery_stream.json

MD5 16d1f94e7f3e8c2ce31a89d36f7f1074
SHA1 ab1c70cbbd572ab8620ac5365d2fc27ebd8d0af7
SHA256 220a29913faf0f9dfba73116883000d467ec71249e674a44191b7796641977a1
SHA512 0f759516ebf76229b4d6571291549254eeb10369d15f4a18dfbf96ae4437bc2429eff4276ca245b7fd0dfe97641f8db20f70781ea53beed4d80011fa99b1a252

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

MD5 ca2c4b56da08997d456a75c8766bf5b7
SHA1 1e75390a4f650da198dd8faae44e1b8babd12233
SHA256 3f585015e836e627fcdaf115a67215cfddd68fa7bf252cc29655e526f26ce9a5
SHA512 0f57b862dbddd5e930c19c40eb4638737bbecd883bc1b5450e739bcc75f4a95e06c5d8aceebdbfedaacc88fececbe79cc373db0f4ef82da3e740f4a55b7f0d7c

memory/6036-390-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/6036-399-0x0000000000FE0000-0x0000000001495000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs.js

MD5 ef63d22499a52df473520eec3bb3a057
SHA1 9b53006981e9ac26edc28c2a3c2926839965bb6a
SHA256 68192470417054c5fb750bb7cfb6b89cb18dc0537c09906f82dff8376d3b958c
SHA512 563b368db5a042f6a27a4a605863c3d10bf2ddcb85b61fca9342320c43f03428b483a7c5617ac0a369f8ed29161a8d7eba33bf6a05181e56b8d6bc9408bf46f9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

MD5 b8e69225dcff894207f7217c76ed2aef
SHA1 b7e181ccb776e5f02087d1965d6db638fc27c050
SHA256 f2ae905ebb3aec8bf0f42d54ba257b9cc00010268bff18752d244183eb4ee837
SHA512 da249b0931afb68b69c9af507f7f108e688ad0098568f16c11bb83d26dfb1a70b70da3eadb1c0e44b0975a5ed34e42f092e9748504588d9e6b7e66d1e91e2cc6

memory/4948-462-0x0000000000FE0000-0x0000000001495000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\cookies.sqlite-wal

MD5 caadc88cfc1a8addb4a9e3e451034ba6
SHA1 a53f17e4a19179f22eff0fd4a12643490a3bd212
SHA256 e442950dcd2246a8aee282ba9323605c1cca3a9fd928b613ecbb9bc7c4e469db
SHA512 3995347462de1d14c862be1d386664f3eedcf6644777549f6cbc18aaf1471174c77d6fb635bbb67a1cc89867aaeea3e63995446648ea849efbf7628c562e4391

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\formhistory.sqlite

MD5 97c1441748d6cc3e5a7030cda7543975
SHA1 f5598a45b101a5404126cd27fbb7f4b70861ee32
SHA256 2015b584b844b091d6a6280d45e9a589ea0feacf5f4b19bdd4cc21c60dbaaf91
SHA512 29d358ec7725038c6648251d8b9c32f3a40458e9c97926e0000ab42f0369b96d1ba5216eeb7c35800c740633dfd3b1e6e6aa73859644bdb9cdccaf2a3516bcb9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\places.sqlite-wal

MD5 e60b5df9fda1a7fe66a16c64637a5ffe
SHA1 7275806abf4d302aefe33090f8d00367b4afb0bd
SHA256 bd98230098f4ac47a00a6e2b007142019347961018dca0c5dedec193c18afa00
SHA512 ac796c8b560666ac8b945855dc381bf36f5ed03890a693ec692804d71e3feb33df274dc52ea8ccb169680c9a432710adf647339c534d5ccd45cfbfa9120e5057

memory/4948-500-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/2804-503-0x0000000000460000-0x00000000006A3000-memory.dmp

memory/4948-510-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-513-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-514-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-515-0x0000000000FE0000-0x0000000001495000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 a715e411d0ee7349aca85f6993a77908
SHA1 efc4ca2e0e31ba9fe733ac9967e726ddc339815b
SHA256 abf778f5fbd27067410be1854d0c8e2cd0fdf553405feac26a6cbe66bfd525b2
SHA512 5eff29ab72c697302671a55108de105468aa5174383f6edcded85f47b17114b3138da5a7d090b9580ad0846f352dd4fd5d4d877a64691729159985d34e6faffc

memory/4948-536-0x0000000000FE0000-0x0000000001495000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 eb92fb68283908c41685c5383c389ce5
SHA1 fda7497fc49d493d2bff7aae388f2de95c113a15
SHA256 586d984dbdc78b3257da504fe4e6059a9f42b5d903807e59d07177c36f38505b
SHA512 6f4906762b1056a9893369d58b16b08b03ba7bf2c0753b13ca951751bc4391884c51f57973d1e4c47c7ee73db4c818b413aa79f507b1ddf43dad100a3b7ff88f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

MD5 41781e6a4c3d2a8aa1cdce77f70bf127
SHA1 57085ebdc659315845a67bf073028850c2cbe72c
SHA256 766a02d75ec73e40df8eed00ddf57d39ea8569623be668b689bf0944b522558a
SHA512 134dc2b22b0bb9346dd616881749cb6bc496650e926795d4e5a41ec8b9c1faf2a2f65059460bb8e91d0d4577dfcbe5ceafb797da715ef0090cf0ae268e6db353

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 c1582c81c84a1bd3f36db23d84f64d45
SHA1 8cdbb8ecc8e22646c1715ccbb228f76686bf03d7
SHA256 4c3cabf710c75dd61bf972bc971883ec0f6f267ccdfb7a839b6c32f4769ae00b
SHA512 a3a32ce6771b960ce5b60024baa17d4d5aeb0e84b551f67e028a783596548c5baeec7dd1b0bef3e02eaf33a6ac72e8a02e2a923ab4e64e84e63aa1fc8122b54f

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 ca17f9cfa124a0a598a9b335caadd661
SHA1 ee133183d10d45f6a6825c7799572b3d02c9ca01
SHA256 9b72fdacab3ce760ded0c790939be7894e05a433d3fcb5baa4548cb146bc1acc
SHA512 039112fbe4883cb6bc343df57322634dbd0fa3161f50e465e78a508e5c9f55bf82696a20f9f71bac56e7c7d91c4b8345ffb29a44c0c52316b2de08d21d58ce3c

memory/4948-1624-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-2636-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-2639-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/5220-2644-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/5220-2645-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-2646-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-2648-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-2649-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-2650-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-2651-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-2652-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/5820-2659-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/5820-2660-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-2661-0x0000000000FE0000-0x0000000001495000-memory.dmp

memory/4948-2662-0x0000000000FE0000-0x0000000001495000-memory.dmp