Malware Analysis Report

2024-10-18 23:43

Sample ID 240814-e1s8aswgqg
Target 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065
SHA256 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065

Threat Level: Known bad

The file 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 04:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 04:24

Reported

2024-08-14 04:27

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\92d9271426.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\92d9271426.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2640 set thread context of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 set thread context of 1448 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\f08a015692.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3760 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3760 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3760 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3420 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe
PID 3420 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe
PID 3420 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe
PID 2640 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3420 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f08a015692.exe
PID 3420 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f08a015692.exe
PID 3420 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f08a015692.exe
PID 1840 wrote to memory of 3388 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 3388 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 3388 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 5112 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 5112 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 5112 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 1448 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 1448 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 1448 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 1448 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 1448 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 1448 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 1448 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 1448 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1840 wrote to memory of 1448 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3420 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe
PID 3420 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe
PID 3420 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe
PID 1684 wrote to memory of 4788 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1684 wrote to memory of 4788 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4788 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4788 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4788 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4788 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4788 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4788 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4788 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4788 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4788 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4788 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4788 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5008 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe

"C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\f08a015692.exe

"C:\Users\Admin\1000037002\f08a015692.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf7f162-5dd9-4ff8-90df-e66882e513db} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2380 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6631501-0e16-4617-81da-587db248417f} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3188 -childID 1 -isForBrowser -prefsHandle 3092 -prefMapHandle 2808 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b334a1c3-737b-4c82-b508-36a7e288c81f} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2896 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d2df664-5857-42bd-b383-6cbfc77077da} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4356 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1456 -prefMapHandle 4108 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ce1cdd6-176d-4200-ac25-127d5522e804} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5228 -prefMapHandle 5276 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b9b83af-f195-4e04-8187-3ac77fd38311} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 4 -isForBrowser -prefsHandle 5464 -prefMapHandle 5468 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {374f732f-8f70-42c3-bac4-f3b507b6bf1c} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5736 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e5eb6b0-2ecd-46ec-91fb-47f97d630059} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6272 -childID 6 -isForBrowser -prefsHandle 6264 -prefMapHandle 6268 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13195f84-5bda-44aa-a399-e3d8bf2f21d0} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
N/A 127.0.0.1:52585 tcp
N/A 127.0.0.1:52593 tcp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 34.42.82.35.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 41.187.194.173.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3760-0-0x0000000000CF0000-0x000000000119B000-memory.dmp

memory/3760-1-0x0000000077254000-0x0000000077256000-memory.dmp

memory/3760-2-0x0000000000CF1000-0x0000000000D1F000-memory.dmp

memory/3760-3-0x0000000000CF0000-0x000000000119B000-memory.dmp

memory/3760-4-0x0000000000CF0000-0x000000000119B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 113bc038fe84de38995f20642177dc1e
SHA1 faffde07789a90122d2480a0396b994d65e31c4d
SHA256 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065
SHA512 4fb3622a05bb899f343c0eab645a1802c8f8f4213344540ae8a7982ad7ff4f68193f1c6968c4962412e6d00d619884ec0f3013ca5ae2ce857ce42d9184659660

memory/3420-18-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3760-16-0x0000000000CF0000-0x000000000119B000-memory.dmp

memory/3420-19-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-20-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-21-0x0000000000870000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\92d9271426.exe

MD5 a071730d9855b71c24be356e715bc481
SHA1 5889bb6a5f2884491dc6a47b5d5ab91d22296dea
SHA256 ea76ee73ec3bdc0ffdc801621f5c827c847dee2657700e7c5d73593587323323
SHA512 2a66103984a51f85eb5718169ed3fde288a45ae05ee3216b2da88f6fa3a4798256e6d9ed77f2482184f7390d7e41aa64f67e2c959f18e04e9a3f430658c830bd

memory/2640-40-0x0000000072E6E000-0x0000000072E6F000-memory.dmp

memory/2640-41-0x0000000000830000-0x0000000000962000-memory.dmp

memory/1684-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1684-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1684-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\f08a015692.exe

MD5 84f6ebedcc92bf18d5f52eef5055bd03
SHA1 ac5796ab6a6c5221b3e6a35a582ad57f8703b477
SHA256 4c947aa4de82538d4fd7e4f3bc3b6fca0fbd4dda8b5697deec2241a3765741ad
SHA512 22031302adfeebd2765d30e26556bc1817f89c8bcd452d2b6cbeae4ffe5c80b61f333822ea25bd297df45fdb57f82321a4f5441792e49b1b8b1f261d0ff1f311

memory/1840-66-0x0000000000E20000-0x0000000000E5A000-memory.dmp

memory/1448-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1448-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4296-86-0x0000000000990000-0x0000000000BD3000-memory.dmp

memory/4296-87-0x0000000000990000-0x0000000000BD3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\e1d1b7b7-733c-4e6d-a2f2-2e02942b12ed

MD5 aa9b39a656845a3f049428d327ed4a79
SHA1 4162935a5c5cc3980f783f7efd3873b6c8c4e36c
SHA256 b411f51ed41d26e38027888985b75f02f1c5270fa968540c779a7d0d3635c268
SHA512 873b46248f314dc221e202df329411898bc39b704c387fad62f84c80df086c511ca22099a3ebe106abe6344ba77d3a0ceab1c5932ba54fbf264506579db20d38

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\57d23599-f8a3-4858-a69d-f5b99d938b61

MD5 d1e87647b0041ad98d0cc5e91b799d5a
SHA1 4a4cdcb51b4f365107811d66f8ded98f6d7bd758
SHA256 e2b9a38916a1aec4ff527afde77a748936f5ca50f0eb644445e848556b749463
SHA512 a19338ef0a19584db499a6300c287e11994cc9189f4c333ca8b6a818838ca2017951fe5d070ea9892374da6077d40f977a960294f1b928f546c3222731ef5bdb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\5e5f2b11-228d-4b90-bb26-c22a745133e9

MD5 80e48e34475aae1d60a8353f88dd3228
SHA1 3ac813da79c00aa9556b559f70a8bd7e86715961
SHA256 80736e784f2bc38b2ac82327a26850ae50ea61bc8bf30c3cc7b2bb27b640d0a7
SHA512 bd9cf0a43e78a8f240be5ec421a1ed81ce7f0de4f81658523a9afa342257a8f5a90183d854891de1c0f5978e05cfd23e9cdeb77515919e838cf1901e5950167b

memory/4456-292-0x0000000000870000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 379dfc92491b188fdf0482f0c141afa3
SHA1 937bf6f1ccfd719a9447d0214d97269b5b18f07b
SHA256 b779b7e74f3b501206d9d387bb51f8997a1ae977f828bdffaa541d1cf578dfcb
SHA512 b4206ad96a095b3672807d2cccaba975ed07940083a622a39c35b0d328cd61d5445c8948cfaf3fc2eb0a403f95f645456b3434c496fe28ae2d856344f4da0f64

memory/4456-331-0x0000000000870000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 7e2a04d1ceedf1cd9d92beb8ecff4bea
SHA1 ae70d1923e08f0bf005e810dcf35d4262d28c8a6
SHA256 b48f8c9d8abfa66daa091fb8661a8836e7f2271be06eeb832e15a19a842f0886
SHA512 53446cb4dfc3a1efbbac9d8173bd127c4f81669ed57f1cf3349e1b3ac6c5428d5b65983abcfcce1c92f1419fea5f738c10df91c2e326b5e32284511aadf09c5e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 ba69521d6b73e666d3b44cb5eccec19b
SHA1 e4ac3004f52e909dc9fdd3fa2a47485ae41b15d0
SHA256 9a37d06d19d2be21b4fc83a4b5de384f3aa16a9bead6ae050408578f597e2a59
SHA512 741ef1c7dac5c8d539588937a38bf4a00ba1fa2b75f2640f5c4013604fccdac7daad204413dd83462d8572bd1c66641e31feefd31ab42c52c45b55558d82057b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

MD5 f34a8e37d2eafef5e215d61dbb8e0eee
SHA1 f45437fc208b824e10ac5351d4b360e8577e4dfe
SHA256 2b8f978bba4cf1d57c93a09c569745063379e6d73c6dc301d9c0c588be7bd4a9
SHA512 d106541d952f1a1053b9b9ad472273389191d865d543a89e78a2fcbe989ebc870c157d7f1363c52351ef9ecbf795d2e189f4ac59e4ebc4d94c5bc272ead04e0c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 e63952a37d4409bf1e93460aeb750c84
SHA1 d9e5aee2d62c66c6309dc719b740a4f438128a97
SHA256 e349f03c9a291b233159d808448d031a13aa0e8dbcc92193ab70c3026fbba28e
SHA512 2db636367c4321d1c40c5b8efb9473b6f457c17347ef58ab4601faeff0300357ffca7e7919d33174d349c98e6281fd76f8f344c443422254db70033316c7ce75

memory/3420-426-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-439-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-448-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-452-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-451-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-457-0x0000000000870000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 56e3149a9f9eab5900c2a08855a979ba
SHA1 7720c101da23fb17df151526947a8291bd2be20d
SHA256 255cceb7fa739059e82fece3e73d504fcf27c2b4ac734efd916fa219067799d6
SHA512 05ff69863339ffdc1fafbad68aa99ac3b2ecdd5a6a97d8735198faf676fcb52e44fcfee20bbd4358bd31c10d99588b02fa9fcc62508e95f014437fa8b245b7c8

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 d7e1cd831273576386f7370ca4bd24e2
SHA1 1c45f5a7c9378d0346b92a266825ddf385e942f4
SHA256 30af9e2e2a51876bd3bd63015974835eba2f1598c553e19c8a54f52def537b30
SHA512 9e06cff4c4604a7e4bdbbc840a77963ca427a60dddd866b2083b57ea5ffeaa4b58bfac9d9e66bccd5aa9b5b8f763864a50b8bd73cf779fcd5ad5cdf3049739cc

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 466ed8e7583f9cebd8a8ccf554252c9d
SHA1 8e0e61f8b2b822b8c8fd1f8a8eb6cba234e549ff
SHA256 bdd38e5e4f195262ddff8a0563398ac75234eec2bc45a1dadeafdfde8ea39793
SHA512 6cc363b0d7d21a7659cd6a5388b737cd004cfe7212a591dc7c360959d88b4e953f523dfd2100319b201a24e1027aede2350017b4c6bb90c2e8f97a45047ad8c7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 cb262e2dee1d32c0942f341b2a39d37b
SHA1 e06b4a67ad5bf50ed991cfb7f1b0397ffbc9e89a
SHA256 999a6d7336593899da8345d7002eb3b6f89d8b303eba96d8d106c52242b2506f
SHA512 fe15a03552ba97016cacf75e3e8ab7627a70da86fca3ff5da19332ce1153bfc8c3ca507e7a6368c4d17c0779e8805b235d574ed18c9f1cfd16ca8fcceb3e268a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

MD5 4242fb70ae284aedfa0e66d4822d6be3
SHA1 9c3ed9cfd6a5f03802052726a6ac2b1816d49eb7
SHA256 b1a895976f2e6991fa5b510d7ab07aec33dc4e0e5e01b259d906b0e77f082672
SHA512 2bf9cc6f4575ddfeca46a22b6df49dbc7b51c87251e7a21b79df9d12ccd2ddb681f9d8d4980bba4764486c567a027789eb95bfc803123f6a76e306fe47b295d0

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3420-1189-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-2309-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-2565-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/6008-2572-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/6008-2573-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-2574-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-2576-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-2577-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-2578-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-2579-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-2580-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/864-2582-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/864-2583-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-2584-0x0000000000870000-0x0000000000D1B000-memory.dmp

memory/3420-2590-0x0000000000870000-0x0000000000D1B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 04:24

Reported

2024-08-14 04:27

Platform

win11-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecde9732f4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\ecde9732f4.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1592 set thread context of 3012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 set thread context of 2204 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\f08a015692.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3960 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3960 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3960 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4224 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe
PID 4224 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe
PID 4224 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe
PID 1592 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4224 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f08a015692.exe
PID 4224 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f08a015692.exe
PID 4224 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f08a015692.exe
PID 340 wrote to memory of 2204 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 2204 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 2204 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 2204 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 2204 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 2204 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 2204 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 2204 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 340 wrote to memory of 2204 N/A C:\Users\Admin\1000037002\f08a015692.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4224 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe
PID 4224 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe
PID 4224 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe
PID 3012 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3012 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2464 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2464 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2464 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2464 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2464 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2464 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2464 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2464 wrote to memory of 4404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe

"C:\Users\Admin\AppData\Local\Temp\13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\f08a015692.exe

"C:\Users\Admin\1000037002\f08a015692.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {120ed890-c3b3-45cb-ba50-d2579aebe862} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2074694b-ee70-4721-b039-482a5789a53a} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2824 -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 3048 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a2db6a2-4684-4d90-affa-ee4372c863f2} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3344 -childID 2 -isForBrowser -prefsHandle 3408 -prefMapHandle 3428 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {487c61af-c96c-4746-9f53-f9c318f17330} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4424 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4436 -prefMapHandle 4432 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f074691-67c3-4870-a6e2-541c4c08afe0} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" utility

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 3 -isForBrowser -prefsHandle 5540 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c26f9a22-6455-420a-9197-ec1613754497} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 4 -isForBrowser -prefsHandle 5676 -prefMapHandle 5680 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd61c60e-ad31-433a-8418-9f2a1e9f2604} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 5 -isForBrowser -prefsHandle 5572 -prefMapHandle 5560 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2f8020d-c0f9-42fc-8954-018e68346f7b} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6264 -childID 6 -isForBrowser -prefsHandle 6208 -prefMapHandle 6272 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {759c27cb-0a91-4f66-a8c9-f3145b256887} 2464 "\\.\pipe\gecko-crash-server-pipe.2464" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49857 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
N/A 127.0.0.1:49866 tcp
FR 216.58.214.174:443 www3.l.google.com tcp
FR 216.58.214.174:443 www3.l.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com udp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
FR 216.58.214.174:443 www3.l.google.com tcp
FR 216.58.214.174:443 www3.l.google.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp

Files

memory/3960-0-0x00000000003A0000-0x000000000084B000-memory.dmp

memory/3960-1-0x0000000077396000-0x0000000077398000-memory.dmp

memory/3960-2-0x00000000003A1000-0x00000000003CF000-memory.dmp

memory/3960-3-0x00000000003A0000-0x000000000084B000-memory.dmp

memory/3960-5-0x00000000003A0000-0x000000000084B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 113bc038fe84de38995f20642177dc1e
SHA1 faffde07789a90122d2480a0396b994d65e31c4d
SHA256 13c5f100e59b293b4b5362ff6d990ce784aa374f1615c0544ca9a3ecca40d065
SHA512 4fb3622a05bb899f343c0eab645a1802c8f8f4213344540ae8a7982ad7ff4f68193f1c6968c4962412e6d00d619884ec0f3013ca5ae2ce857ce42d9184659660

memory/4224-18-0x0000000000390000-0x000000000083B000-memory.dmp

memory/3960-17-0x00000000003A0000-0x000000000084B000-memory.dmp

memory/4224-19-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-20-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-21-0x0000000000390000-0x000000000083B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\ecde9732f4.exe

MD5 a071730d9855b71c24be356e715bc481
SHA1 5889bb6a5f2884491dc6a47b5d5ab91d22296dea
SHA256 ea76ee73ec3bdc0ffdc801621f5c827c847dee2657700e7c5d73593587323323
SHA512 2a66103984a51f85eb5718169ed3fde288a45ae05ee3216b2da88f6fa3a4798256e6d9ed77f2482184f7390d7e41aa64f67e2c959f18e04e9a3f430658c830bd

memory/1592-40-0x0000000072D5E000-0x0000000072D5F000-memory.dmp

memory/1592-41-0x00000000002A0000-0x00000000003D2000-memory.dmp

memory/3012-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3012-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3012-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\f08a015692.exe

MD5 84f6ebedcc92bf18d5f52eef5055bd03
SHA1 ac5796ab6a6c5221b3e6a35a582ad57f8703b477
SHA256 4c947aa4de82538d4fd7e4f3bc3b6fca0fbd4dda8b5697deec2241a3765741ad
SHA512 22031302adfeebd2765d30e26556bc1817f89c8bcd452d2b6cbeae4ffe5c80b61f333822ea25bd297df45fdb57f82321a4f5441792e49b1b8b1f261d0ff1f311

memory/340-66-0x0000000000E40000-0x0000000000E7A000-memory.dmp

memory/2204-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2204-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\521782bbed.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3260-86-0x0000000000700000-0x0000000000943000-memory.dmp

memory/3260-87-0x0000000000700000-0x0000000000943000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\debbfd7a-0300-40ab-a761-6fda52c9aa66

MD5 d2829631ae08d8959765cbc7d398509c
SHA1 57df353c16769786812c3e02f105fe01c5a52d03
SHA256 76d64d2ee16e83d8bfe00fed29ac6c7198a53c358c46523602b7ce87756caa8b
SHA512 2fe774d3ae3aa31fd086e0fd6652bb2872c791f3fd59f7063bef3d8b42643c6dc203c3e3e3c7fdd31398249510cb60312f8700b1009fc1c726b710d2c01c14b3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\36fc3e8e-32ec-4219-82d3-1e8dec5722da

MD5 b5c15bf969247cd4ae09196e0b42fecf
SHA1 d961f7c2d01920d9f4194d200aedfe383e805a47
SHA256 8b3628e3d866f96af372ad19540f0480f34cc1c750e283c7a97bb25742b9e491
SHA512 7cf7880e29e38c47c8660cd9b2150be345f8e6d7d92e89674a9c06ccc4cf71a1f100c8a044d7cd4ba13033f5f487cea64eb0c53bd420565e9d484a5db8be89a3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\9faec2b3-c184-46e2-9803-6cfd724a7859

MD5 b7ce4f8a62211f4ddd1f6aae6ce62a5c
SHA1 6963893d3a42758faae50c7c57cffd44f044961d
SHA256 accfbce38203fc33803e9438a56e858816495b3c1d945fb9865fad481cab4fed
SHA512 7d769859e85db8954e62e826331b389c2b0cf9f98e96d3004041bcda00c8282b78afdb38dffe8c25d6d5f5ce8333914d35d4bd46ed7817cc306af5e8d48765d4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 9e89889161f0777de460242cd6ae398a
SHA1 7f2ea196b90e547c9130854efaccd96819a4693c
SHA256 88aa06f15b51e6ba2934f82e56a6cc41488d1ff073d0c7557612f7cde635d1c1
SHA512 d2eee98ae06f7dd27a371938e1deffd79267c7b49b21b7b99c12a98dd0a78adc1b310bb35d15273ad3577998577562b09dd9aa2ebb32f3db300be8060af84ca5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

MD5 1cef7d1d5751a04692bf5b4f21d86c0a
SHA1 8b32411582bd704c6d45da19e68c94e3c45a58ad
SHA256 d9269c94667ce8340c29b398084f8be61d77bceaad2a4a1ce16984940039eb8d
SHA512 0d630c90af33d2fb9a8501f3b3381bc59db1c8122ee0d2286b8b72bd83b310a81ec0bef49d389ae97213ebe70b4036d21f91a97abba8c28a423aafa9981f4646

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 97e98fe9d99420cb2749931d113256cf
SHA1 f6fe185cbe585ee307f08a9b4ad4c76636bc12bb
SHA256 637d5229172a53ed29f9378825f74ecdf8ae5e8c940c8c04377755eaec6d21ea
SHA512 b1d820dcb88ee198f2842d90d080f71e10f999e7455ee5e7297a8cedd0b61bcd02587bd2d37397b9a90f420414c2673075363168efb5b044afe16954700c4252

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\activity-stream.discovery_stream.json

MD5 2002288021f3fa022861caff997ef89a
SHA1 ee56bb5d0d839706e76a0ead303a2eaab9418b54
SHA256 136d7b71cf032eb3332ce56b9d3448b5c05116483ec5a85bf95f79c48e9cd58c
SHA512 503dc79c7d3899815f3b6697a336166e7e5cb22f73a2a441a42c0b7c75cdc75c1995b0df58ab1fcdadd642ea833c0bd54e077beb56bd8fe83e736465dee09797

memory/1628-360-0x0000000000390000-0x000000000083B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

MD5 5ceec1c5f37a8621e3a736fb2cf2cb3b
SHA1 b1e99776a89b33e2a856c2267a92f4744946ec2f
SHA256 ef80a49ac427737cc94a835e8a8fb60d4738292e90f80c224446cd43c00acef5
SHA512 e25e618e644741f4fa541774da105bfc9e1d03365f27e83cece18abed2e7561cb7a7be61d66db63474d7ae358dfc72c5392a94d017f082126645a0169b35b854

memory/1628-389-0x0000000000390000-0x000000000083B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js

MD5 492c78900c931a10cd90f04e78f9df4a
SHA1 38b5059d52125f0ed101d3606b187ca76276e6fc
SHA256 3b98e665bcbb6d6ba586455a81bdc7bcd706f8e89040fe2f7acbf83c3e99e4fb
SHA512 285a4da4bda0e20e73352c3353d0325ed65a4a5cad3ea531a64b3a7d434d9cdc03303a28f3423967029b4490019da067ebe2173ed9ca2ea9f0d185eb040b9f13

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

MD5 c3bd9d954d883dd0f9006946fb30dd5e
SHA1 9c9871c6026fc5ab2e3c5ce212e810effebee3d8
SHA256 caffa5fa5f19dde0815f392ac825d9f46f48a464be19860bfde391d6975a3502
SHA512 c1f19b7b0a0f2c5887d152d549c5a002c6a4f3ae8f2a34573f9d50f8830ef4c02ffd3fd7b183157d242272e553c3193a2fe8301181ccd1e7a0d6389939a5e500

memory/4224-434-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-451-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-454-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-455-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-456-0x0000000000390000-0x000000000083B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 642411ab8f4ba9e2f7492e62f7dd17e3
SHA1 d302291c5ecd78456a106b93c95907ba7e8534ed
SHA256 25464adb901bd51d1fc86a62105bc0e95bf7fd060183550e3608d80479b969ed
SHA512 6050e730e1f82f5f7121b67ac4b783a3db96a3e1efc799992d299e39f5ed2d0f798d3de86c6f9edd42dc86d00065cf2a9d0f90a3318e1f82710a8c62ba0cc017

memory/4224-472-0x0000000000390000-0x000000000083B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

MD5 75e4ef88167248f2453284164326e055
SHA1 5b912f3af925c2e7a425e9b87231919d72665c16
SHA256 bd70eb4a57f7ef06403de2982b7debe29eb9a6e093fc158913e8533e69dd2f42
SHA512 ba95f512c2625bdb9178e81aca776bd02c2c05aa78338052aa684fc4a95c621bdc1685ee2a3e24e07a1fc5599f6aa6d8b55cbc7fdebb8cd548bb9d111c50e779

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 1ec9ba6b2424859ac85b7f3dee5607ae
SHA1 59b0fdd57b39c8a9ab7e1fce6a4abccbd1f3b464
SHA256 50da7332cce386761e4f6beaccfc93d20f9bf22875248b2c8d0839c51cff7879
SHA512 4ba31b48b0b7b8b421dd8271ddf9583114d6754d40f91a86724295683371a73a1f77fd51f22a13cda6df658b33ff528444f21593f1d3f83e76d74a6a576429f2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 9fc2d176e9d9d959c1b5eec75aa8d36b
SHA1 5b5d163d92cbcb5454ed1f787e1963fa4b849f5f
SHA256 b2fdcb5245083fb0aaa39a7f5b1d18a619422b10cfb34e908656467023251d42
SHA512 a538f1a4c5dc42fc62eee797644181325036a3176e52d91b310cb9bf5cbf83e556bb83392d0f01466905da07229489696ce43347132b6c34b00618969e27db97

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 092a0b17ca9848360937b9af52720e2a
SHA1 5d037c97ce8a1ddcce43f1dc82bdb914bbe19c1e
SHA256 ce46bf772c797e9462c853da8f8d50159a6092deff94aeae869d27afd5c0465a
SHA512 868b353200484528aea7603ffd5a82b074d4300a0d6db010b78cb09d8e4b22ba1f8ad5399e9955b886af8f69833d0d10db1a8b5a82f89292d5b29ac741e52b8f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js

MD5 b0cdd1d58e946df4a36eef864beb1867
SHA1 6dce001c571d01d7e9f555fbbdd524a170246a09
SHA256 b11ecf333d385bbdaf5280942d95e61eb8a77aae4dd4440beab9636c3d04d187
SHA512 d778a7814a3a7dc854a19fc2fd30ab63b1c2e8bf1df5e3738396b2c69a946e4c141b4752b8d048a4ea1faca40fa50ef4f8c7e181ad48ee827d6d9ff6b8a90afb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

MD5 ea43aaf5ed148213c1198d5f13063dec
SHA1 1d61598584562623dded09e89d2b97afa25db935
SHA256 ed198b385ae68435119c04b967ec6cac26334968513ae84185e04acdd648b301
SHA512 bfd4e4872d51e8e05ebb6a1b5000f383cddf9a880568e6d4fe59cf99143c98e2afd3b16cf0125d354b88ac33d37165ac7389bd209445473b3fedd6b0a05ed879

memory/4224-1286-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-2513-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-2581-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4116-2588-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4116-2590-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-2591-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-2593-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-2594-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-2595-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-2596-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-2597-0x0000000000390000-0x000000000083B000-memory.dmp

memory/3396-2599-0x0000000000390000-0x000000000083B000-memory.dmp

memory/3396-2606-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-2607-0x0000000000390000-0x000000000083B000-memory.dmp

memory/4224-2608-0x0000000000390000-0x000000000083B000-memory.dmp