Malware Analysis Report

2024-10-18 23:41

Sample ID 240814-g4842asgnk
Target f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0
SHA256 f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0

Threat Level: Known bad

The file f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 06:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 06:22

Reported

2024-08-14 06:25

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c1ec43858.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\7c1ec43858.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1132 set thread context of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4664 set thread context of 1452 N/A C:\Users\Admin\1000037002\9fd1a2f5ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\35ece3dd27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\9fd1a2f5ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2072 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2072 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3484 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe
PID 3484 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe
PID 3484 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe
PID 1132 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3484 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\9fd1a2f5ad.exe
PID 3484 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\9fd1a2f5ad.exe
PID 3484 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\9fd1a2f5ad.exe
PID 4664 wrote to memory of 1452 N/A C:\Users\Admin\1000037002\9fd1a2f5ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4664 wrote to memory of 1452 N/A C:\Users\Admin\1000037002\9fd1a2f5ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4664 wrote to memory of 1452 N/A C:\Users\Admin\1000037002\9fd1a2f5ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4664 wrote to memory of 1452 N/A C:\Users\Admin\1000037002\9fd1a2f5ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4664 wrote to memory of 1452 N/A C:\Users\Admin\1000037002\9fd1a2f5ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4664 wrote to memory of 1452 N/A C:\Users\Admin\1000037002\9fd1a2f5ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4664 wrote to memory of 1452 N/A C:\Users\Admin\1000037002\9fd1a2f5ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4664 wrote to memory of 1452 N/A C:\Users\Admin\1000037002\9fd1a2f5ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4664 wrote to memory of 1452 N/A C:\Users\Admin\1000037002\9fd1a2f5ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3484 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\35ece3dd27.exe
PID 3484 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\35ece3dd27.exe
PID 3484 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\35ece3dd27.exe
PID 4652 wrote to memory of 4912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4652 wrote to memory of 4912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 4560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 4560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 4560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 4560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 4560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 4560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 4560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 4560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 4560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 4560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 4560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4560 wrote to memory of 4856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe

"C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\9fd1a2f5ad.exe

"C:\Users\Admin\1000037002\9fd1a2f5ad.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\35ece3dd27.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\35ece3dd27.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {004e016f-6b50-494f-887f-772fab7900eb} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b401917-7c7d-4194-afa5-0995316082a6} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3188 -childID 1 -isForBrowser -prefsHandle 3236 -prefMapHandle 3192 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f419b129-0f7b-4a98-99e1-99bfdd5e15ff} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3656 -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2236366e-b312-4bfb-b5c1-d80d1114a3d5} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4344 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4336 -prefMapHandle 4276 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c39558cb-7147-430c-829b-dd43e3abe844} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 3 -isForBrowser -prefsHandle 5504 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50c9990b-ad79-4db0-a32d-3ae571d15277} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 4 -isForBrowser -prefsHandle 5644 -prefMapHandle 5648 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b751b9c7-087a-4798-a304-ba58e72a3c6e} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5948 -childID 5 -isForBrowser -prefsHandle 5940 -prefMapHandle 5936 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0e95c9d-6795-43b8-ad61-3a544736e587} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6412 -childID 6 -isForBrowser -prefsHandle 6424 -prefMapHandle 6420 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36b23759-6455-450e-88c4-8a4b3d223eff} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
N/A 127.0.0.1:56973 tcp
N/A 127.0.0.1:56982 tcp
US 8.8.8.8:53 34.42.82.35.in-addr.arpa udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 41.187.194.173.in-addr.arpa udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2072-0-0x0000000000A50000-0x0000000000EF6000-memory.dmp

memory/2072-1-0x0000000077D44000-0x0000000077D46000-memory.dmp

memory/2072-2-0x0000000000A51000-0x0000000000A7F000-memory.dmp

memory/2072-3-0x0000000000A50000-0x0000000000EF6000-memory.dmp

memory/2072-4-0x0000000000A50000-0x0000000000EF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f3ef6ea2a9629f605bb4c6bdd197b3e1
SHA1 ffc67e08bf3897b3b6d8eb45150ddfab9d11ce96
SHA256 f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0
SHA512 3e769090ab70a81bcf37e01701ff1e1f6081c3258e65dc25d16f19ac7804ffbbc0823229bc765465d0c7a7e24514524a9a007d6919a2fe098d6be026ac3c44c5

memory/2072-17-0x0000000000A50000-0x0000000000EF6000-memory.dmp

memory/3484-18-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-20-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-19-0x0000000000141000-0x000000000016F000-memory.dmp

memory/3484-21-0x0000000000140000-0x00000000005E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe

MD5 fdf21f3d12ad57882b440a836e1d34cd
SHA1 989c59558befc0b36398f37ffebe3e7a1e547d7d
SHA256 7a70259c92053fe11ab86abd7939df74094b9a62617d146eaeff3b1fbbdfa6af
SHA512 dcca41ee0f1df37fc5deb762f272dd763f2078f404dc615973231e2f6d360b4a18e331be9060ae3b70337efc4484bfc5f13d7e2cc0d1fe57cbd309146425959c

memory/1132-40-0x000000007395E000-0x000000007395F000-memory.dmp

memory/1132-41-0x0000000000680000-0x00000000007B2000-memory.dmp

memory/4652-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4652-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4652-45-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\9fd1a2f5ad.exe

MD5 023067031c6cfdf586bdad2cab514c6c
SHA1 831efce5366ab12d5f63079d0767048b8333bfbf
SHA256 f7de5cbeab4c68986a67448e0efa72b244ecd86eca1cc8bf373168b6fba454de
SHA512 59c96c2b182702793abfd5d89b2572f27dc5275aafdc13b7b373e20910ea06d155532a28cc9d9339d0a5b3ea60c5aa7de57f74521ab3ea56122a51f39e006ccd

memory/4664-66-0x00000000001D0000-0x000000000020A000-memory.dmp

memory/1452-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1452-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\35ece3dd27.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4468-86-0x00000000002C0000-0x0000000000503000-memory.dmp

memory/4468-87-0x00000000002C0000-0x0000000000503000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\c7806fcf-9fd4-4f47-b21d-54223d5a5ddb

MD5 09ce1066daa06fd3d27c6a221cfebe82
SHA1 799ccdc89a719eaa407d87a49f5f6af03fbb192d
SHA256 dc762415f91d4e4e2ac9ee3431c14018d48b52f581a4bff149063e11d9b2b1b1
SHA512 3a4fa79a72d2d05bfe65c78d18f4cee8a78fc87958dc4d531a731bea18165043e508ef5062a31cbfade71150b60fd036f5cca9d34cb47d196e9c865a43a5cd8e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\d56b220c-df1b-4ff6-bf1a-a24587dd9aeb

MD5 89af6c4c846163be7304dacf66eaabed
SHA1 37174669e2d3144c29a068f38a112ea1fb822249
SHA256 b5e05cb0bf59d07a3f22b98c80c6615a48cb6efb1fd3e0e49c8be571bfacdc47
SHA512 c57901afcc34a299368b59df0b0f134644b69b9144585443e422f42d14591fb775f44e44d71715e9fc2dc5273399ad70927ce402ed5e8396dfecfa9c713bf7bb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\3ce457bb-1159-4cb5-a62f-20c84a651fae

MD5 e6df05dd08aca60d1a2999d42beaabae
SHA1 08a15936e1a263507243acef0742a249515fc8d9
SHA256 ddc018bf322f9b285d6cd1ba0f7817bbdbaf7a603c2f9202fd715a653657259a
SHA512 6c0072dfe3bcc682ce20fb5d7f17e2c529be773a3adeb57add96c96c4a375679ca978d38908f25df762fc6a12c7621063849e44425759cfc8fe37fd92b133b54

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

MD5 73032c3aa923d3ccd86f7a4dd1a56d62
SHA1 02f5e15216a3d3c77db54daf7cbb5a8c417f6ce0
SHA256 eb12b063ddf1aa2c3b2ba537ea801e9fd88d3c98dc3057bb2eb857daab9e666a
SHA512 4abb2420339a229f2574bf0e25eb9353c663442801c94044de91aaf78bf52047613eb5d229e44f3df8f95fd00c8a32ecd298efffe2a7c10f22086dad578b8cb0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

MD5 b87e9312e940c2b9a17c734a0e7c1341
SHA1 5f115f90daa382a0f0cae54ee7e6f2f16c168dea
SHA256 f3b8862340f73695361033ab1c79c0af0cda759c41262063796d4684b8dedffa
SHA512 0e751d1a9f243f06a04468b33256b5c61582c6abc303bacda639a974070b99694f0ca23c7c3dde6774108ef407323d3956ec00404cc72b703889870c285c0b61

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\activity-stream.discovery_stream.json

MD5 fb9da356fcbb08c9c44a6e87c07dedb0
SHA1 905a450c0ba05432a1a99ff55bb259fad9824850
SHA256 65236722d7098abd5486837ff37e25e18f9789b6209e0dd63d83f4695d5eab24
SHA512 386ee7eabac8a55a76d8e1cbe8ba03af4458901039c9b605f52dc0745ce358e045922868e5fdc0f25295b17898b8f9d03597e0ac5842830f0b14f6b892143aa4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs.js

MD5 4484f2590486977c64ce0152c61a8174
SHA1 105fc8df6817efab85a274a405d5f0591ec39a93
SHA256 ade13abad007bf65d7171da92fe5a816e889d94e0ba5767ef431da96bc3cb081
SHA512 848312587e9d4032679dad5d94a80d41e62836c957e17f730451ca7c6700fc6fec725ab24c71070ce4edcd070efb1caceec0f0811da4182e662a87dd50899f3f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

MD5 7a11ab3bd24fd1c9cdf57eefc1c4d1a7
SHA1 8248c6d96ef0026a93e4441e0e1759a2f779884c
SHA256 e86af81739b9494132f973b0b433d24141e10508c603660ecbd94e36c1db52ed
SHA512 e778136c4d044c994a034f9a109574fd2ac1aa220e88520d19dfe3a5557167c8f040127098d105f9062a5095338b3bb8956e67f18e34caaa2bd8785fa2594b60

memory/3484-430-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/5932-440-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/5932-442-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-451-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-454-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-455-0x0000000000140000-0x00000000005E6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

MD5 316f7223e4297cab2fb0e5c428cee9b5
SHA1 3fffdb36a41b3aa6257297500a0aff944c505f91
SHA256 682e3c7e4173ab893fb9ece1c5a703d9b49ceffb9c8695d43e3ad2422f69f416
SHA512 147b3407a181d68e41cf13db1db3945f129ac725ca61bb8b0f5f10d2e826501bfe88e7a09dcc32d0dd9d9a6518318c075dd8a56054bda51e7157244d666bfb05

memory/3484-473-0x0000000000140000-0x00000000005E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

MD5 dce0df233aa56badb780ed8b3dfbf9a5
SHA1 9e370fa9f62b1785664ee1413e0136053fe07f91
SHA256 166cc8efdf693abbd45553197634052e1105ec5ad2e8540050516e4352cf5660
SHA512 ff88590fbbb94260a492bc78e38eb946bac072aa7686a13014c44fcd0b80f5364d3e9103af9a2cbe35135b55daf8fc5b71e303d57bb23723cf95d3296bdae3cc

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 f363529309c2c2cd2e659811c3b31af4
SHA1 21850969959b8ea4256d9bfedb48201a2c1008b0
SHA256 f5a1da3678a118cc6b0b0e160936b4e9de0d817d6950320d3ccbaa7df0abcb90
SHA512 b073d8cbe791acf4b1c2b9c3abd0e444ac1b25e6cdae430c02a71a6894e5e9a28d8ca86bdd56078ddb6500ba8804038d49555e809422a74bf2a91bdae44d7fc4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 12b6449b433bf3780432875225493e29
SHA1 07cba346c423fd7fcffe523fe0b3a6ce6396aecf
SHA256 5495cdada397fc02382fdc66f1ea9bbd3961cf63c80c52fd2b3560d3dbbf39b5
SHA512 84c084a581af003f0e62bc0e98332db254c636385a14a7d1c28906792d38d77dc5b02b6c0cb8863c31ebf6ec02f103c0861793bf37f3b8514ba97513b9a0c298

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

memory/3484-1309-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-2499-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-2546-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-2553-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/6008-2557-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/6008-2559-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-2560-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-2561-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-2562-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-2563-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-2564-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-2570-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/6008-2572-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/6008-2573-0x0000000000140000-0x00000000005E6000-memory.dmp

memory/3484-2574-0x0000000000140000-0x00000000005E6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 06:22

Reported

2024-08-14 06:25

Platform

win11-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\7c1ec43858.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\7c1ec43858.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3632 set thread context of 4768 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3776 set thread context of 3608 N/A C:\Users\Admin\1000037002\9cf13c5d16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\9cf13c5d16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\9fd1a2f5ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3068 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3068 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3860 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe
PID 3860 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe
PID 3860 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe
PID 3632 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3632 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3632 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3632 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3632 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3632 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3632 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3632 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3632 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3632 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3860 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\9cf13c5d16.exe
PID 3860 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\9cf13c5d16.exe
PID 3860 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\9cf13c5d16.exe
PID 3776 wrote to memory of 1440 N/A C:\Users\Admin\1000037002\9cf13c5d16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3776 wrote to memory of 1440 N/A C:\Users\Admin\1000037002\9cf13c5d16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3776 wrote to memory of 1440 N/A C:\Users\Admin\1000037002\9cf13c5d16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3776 wrote to memory of 3608 N/A C:\Users\Admin\1000037002\9cf13c5d16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3776 wrote to memory of 3608 N/A C:\Users\Admin\1000037002\9cf13c5d16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3776 wrote to memory of 3608 N/A C:\Users\Admin\1000037002\9cf13c5d16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3776 wrote to memory of 3608 N/A C:\Users\Admin\1000037002\9cf13c5d16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3776 wrote to memory of 3608 N/A C:\Users\Admin\1000037002\9cf13c5d16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3776 wrote to memory of 3608 N/A C:\Users\Admin\1000037002\9cf13c5d16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3776 wrote to memory of 3608 N/A C:\Users\Admin\1000037002\9cf13c5d16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3776 wrote to memory of 3608 N/A C:\Users\Admin\1000037002\9cf13c5d16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3776 wrote to memory of 3608 N/A C:\Users\Admin\1000037002\9cf13c5d16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3860 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\9fd1a2f5ad.exe
PID 3860 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\9fd1a2f5ad.exe
PID 3860 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\9fd1a2f5ad.exe
PID 4768 wrote to memory of 4208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4208 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4208 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4208 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4208 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4208 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4208 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4208 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4208 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4208 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4208 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4208 wrote to memory of 1400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1400 wrote to memory of 4960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe

"C:\Users\Admin\AppData\Local\Temp\f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\9cf13c5d16.exe

"C:\Users\Admin\1000037002\9cf13c5d16.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\9fd1a2f5ad.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\9fd1a2f5ad.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1900 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b13b1837-fc59-432f-b7d9-e70a9cc9ba4e} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a145889d-5543-4261-9f74-ce71c9495005} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2740 -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3324 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ade02d4e-7cf3-4a75-989e-5f4fc4fa7381} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3692 -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 3720 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08f05455-5025-45ae-b347-75758a5324b3} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4648 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b507910-193a-4596-b202-0f2dee896d93} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 3 -isForBrowser -prefsHandle 5668 -prefMapHandle 5664 -prefsLen 27181 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {716c9f4a-4767-469b-92d4-4d147146f409} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 4 -isForBrowser -prefsHandle 5932 -prefMapHandle 5888 -prefsLen 27181 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8a0460f-5f22-44bb-b60d-6eb5adb0c562} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5904 -childID 5 -isForBrowser -prefsHandle 5876 -prefMapHandle 5924 -prefsLen 27181 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11fe9f5f-44dc-42dc-a0e7-120b5f90bf28} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6124 -childID 6 -isForBrowser -prefsHandle 6036 -prefMapHandle 5904 -prefsLen 27181 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6eb4d7a1-af44-485d-8ca2-8cbc62d71833} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 108.177.127.84:443 accounts.google.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
N/A 127.0.0.1:49838 tcp
N/A 127.0.0.1:49846 tcp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 location.services.mozilla.com udp
FR 142.250.201.174:443 play.google.com udp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/3068-0-0x00000000004C0000-0x0000000000966000-memory.dmp

memory/3068-1-0x0000000077916000-0x0000000077918000-memory.dmp

memory/3068-2-0x00000000004C1000-0x00000000004EF000-memory.dmp

memory/3068-3-0x00000000004C0000-0x0000000000966000-memory.dmp

memory/3068-5-0x00000000004C0000-0x0000000000966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f3ef6ea2a9629f605bb4c6bdd197b3e1
SHA1 ffc67e08bf3897b3b6d8eb45150ddfab9d11ce96
SHA256 f1460649ddf8662c8e5de0bde174b682f5743b780d4740c7d88385a3e72508a0
SHA512 3e769090ab70a81bcf37e01701ff1e1f6081c3258e65dc25d16f19ac7804ffbbc0823229bc765465d0c7a7e24514524a9a007d6919a2fe098d6be026ac3c44c5

memory/3068-17-0x00000000004C0000-0x0000000000966000-memory.dmp

memory/3860-18-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-19-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-20-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-21-0x0000000000180000-0x0000000000626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\7c1ec43858.exe

MD5 fdf21f3d12ad57882b440a836e1d34cd
SHA1 989c59558befc0b36398f37ffebe3e7a1e547d7d
SHA256 7a70259c92053fe11ab86abd7939df74094b9a62617d146eaeff3b1fbbdfa6af
SHA512 dcca41ee0f1df37fc5deb762f272dd763f2078f404dc615973231e2f6d360b4a18e331be9060ae3b70337efc4484bfc5f13d7e2cc0d1fe57cbd309146425959c

memory/3632-40-0x00000000732DE000-0x00000000732DF000-memory.dmp

memory/3632-41-0x0000000000FC0000-0x00000000010F2000-memory.dmp

memory/4768-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4768-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4768-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\9cf13c5d16.exe

MD5 023067031c6cfdf586bdad2cab514c6c
SHA1 831efce5366ab12d5f63079d0767048b8333bfbf
SHA256 f7de5cbeab4c68986a67448e0efa72b244ecd86eca1cc8bf373168b6fba454de
SHA512 59c96c2b182702793abfd5d89b2572f27dc5275aafdc13b7b373e20910ea06d155532a28cc9d9339d0a5b3ea60c5aa7de57f74521ab3ea56122a51f39e006ccd

memory/3776-66-0x0000000000910000-0x000000000094A000-memory.dmp

memory/3608-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3608-68-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\9fd1a2f5ad.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4864-86-0x0000000000110000-0x0000000000353000-memory.dmp

memory/4864-87-0x0000000000110000-0x0000000000353000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\464b4ea6-b00f-4fb8-82d9-0eace69e39c4

MD5 9fd43cff4bdaf33f37d89ee1e829f434
SHA1 a2b501b3f10a54fbdaaab20aa4bf54a5a2df60b2
SHA256 54a30f5f6cbe31b9413812612563de13b3d6a05d2e1d36d96ad39784c2fd7497
SHA512 760e44068e95a5c2bb58311b79a8b1df51d09ffe02037a000b36f03007f946d976577914c9eee1e656fe8fffd4bfb357f9910643d377f7d4b66508b3f3dd952d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\64c63e96-cb0a-45b3-ba70-102fa2a7220a

MD5 2e9d5bbfbe7137d97a29a3a80efcfd2f
SHA1 3e34dfc68736c4157e9088a7a559adea0fdf0e8a
SHA256 dca7012c4e6281351c031086f31fae0eef5671e6bdce099ca49fc590d3ffac7f
SHA512 6c889ce1880820c5dab35d9afc5e828de9ed7b6bb862c5ec47da19862123fb502022688f4fd3bc637679e0c94320122daeb6ada07544653674bac77007876556

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\54bb9e2d-3c2b-43ae-8dd4-a3337afbf066

MD5 bdc9b86c1afa214a4b5e3d42fc216bbe
SHA1 ed9fa3d2e893f1bf75559d2f364948fa7c38cfac
SHA256 2435155b7f1640d50f9489e0420aa80555ba518aae02e35f765cb1d43af84753
SHA512 11f1b149ea5dcbd442533cb3089c9a7bdbbcda7ba5d53290b3b04d67eeaef39d6abc1f8b64e07dd28fe99bf2ef4e88401038137466e4fd17500adbbaba2a7042

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp

MD5 3aef27ad4c65ca2a3d1874f00fa2efc5
SHA1 48f95d692aead6f46db6802fa21b4bb884e6bfe8
SHA256 2708a103af7b2fb948d812e393f37b84941f251adeb6be6fede08d2b0073df93
SHA512 7a938c2c81c4bfbffd160c15b907288820c6126b6f9ee0d3d4f751931b41961c85022216c2222e1216e3034d0856310ad049651cff2ec9638e9afe8d22a33c06

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\activity-stream.discovery_stream.json

MD5 5a2bdcba188b962c5c1dd4bad708c3cc
SHA1 6c4f9efb7c37f99858b46291d63a4dd2b4dc1477
SHA256 b7f039471c05a4be7b6e827f167525ea44efb32546a6c568fc258f767ff6857f
SHA512 0ece2b090607512481ef9c1253f75260b0ca46a26e06304bc4b25da6920746c9776e2574d83214ec99e76b4c780eb4d82fa0727681b4848b2f17181d589bf2c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin

MD5 fd02776cfe5b83d999a6fead86963b40
SHA1 ea9937953eb9adf90e31fc7005a860860f433a5a
SHA256 e06c45122662f3262b46bdff9cd37faceb39e10d1f04c873253fea8c6c841731
SHA512 329f2adc4da219dc37fae5161292ed9df57df6a055a8c9dd8f05efde1756915f25d8bb76d790170d9a15b3bddd74549787e413d55c09cff9ea894bacd0c1f4fc

memory/3860-424-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3980-440-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-439-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3980-441-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-444-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-445-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-446-0x0000000000180000-0x0000000000626000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp

MD5 7f0af93a27eff6d4a6ca21685b0bbbe1
SHA1 1a05afd72075ec4cd08840b93755a60b5df3404e
SHA256 cedcfac186891b6342d3a50e2c26a08ed6824c7466e6994dce52efef251c1f2c
SHA512 54a05e5ced17e4c2e56a8ee6ec1379fa2e723ab523fbd885f2b4142ce994c6ff5426ba252ec1933394e6260b1e9747e9370d52fa0ad4b16e7ea14495cec309e6

memory/3860-459-0x0000000000180000-0x0000000000626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 4fc85d5a3a7abb8bce56a20dba4620d3
SHA1 7dc3ec5bb890685ff89b5370ed70471fa30fa09d
SHA256 d074b47bb4d9799c564fe0ea855f3fae36401e47e0bdb56199df7903de436c85
SHA512 1682a488deca5f6783b3e541525c6ea52a7560669221a29af84024fe50047d4e5ca730b368797e6d21014754529b03a12441d2306903f39f675769986aef0604

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs-1.js

MD5 9ac2b281a9a0dd9512a31eb98e7fd4d1
SHA1 d7066478806c98f0d9cd5eeae3bca78eeb7e4b2c
SHA256 0954fad58cb9ba03199e86d7bd8e79700454eceab25d3195ee941dc07e15b090
SHA512 3acde40533c397528d8d19616e29112c73f1ea80ffa5340fee648ada2e540822644db99997f17c6745ab60846d223630f8b316e1349b5283a635a92368e68a1f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 68845be46584bfce9f3d5208eac40579
SHA1 31ca357030566c32c65764b2f0cd9a79b55157cb
SHA256 8996eed9acef4f0d89a093584deee0631600c60e73e6a082decb7b7775124bc7
SHA512 fcf7f3ec6522beb2b46bfb8f4f4611d2797a320ae76d17b7af63a02c8a138e2b52db627da3d6c4db8d6a1be671bfd0005ff12530661fc52c8bb607443a534d7e

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs-1.js

MD5 6ddc947f1f32efdce7507a1229eb6b24
SHA1 76cd9387d17f492a5cc05507dfdc2b1d3ddb841e
SHA256 c0a3212d236267e3437d794eef966244dda5064da0002fff1da4705c9e432f6b
SHA512 372fd5e1f5589bee8cf92fc183fb73da9ce77166b7e6d7c6682554b123878dffba2d33390723b9ff248853f777c495f17192b5149b2c0c9a920c603bfe4e9531

memory/3860-2033-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-2633-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-2636-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-2640-0x0000000000180000-0x0000000000626000-memory.dmp

memory/1928-2643-0x0000000000180000-0x0000000000626000-memory.dmp

memory/1928-2644-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-2645-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-2646-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-2647-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-2648-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-2649-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-2655-0x0000000000180000-0x0000000000626000-memory.dmp

memory/5628-2657-0x0000000000180000-0x0000000000626000-memory.dmp

memory/5628-2658-0x0000000000180000-0x0000000000626000-memory.dmp

memory/3860-2659-0x0000000000180000-0x0000000000626000-memory.dmp