Malware Analysis Report

2024-10-18 23:43

Sample ID 240814-j22chswfpj
Target f0c81b8c2d9d3804826e6c70a7dc11c0N.exe
SHA256 3b1d6e7f53b18c7b220d7017d996716e071ec4616d15cd117d7fc2d6fac0bdc5
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b1d6e7f53b18c7b220d7017d996716e071ec4616d15cd117d7fc2d6fac0bdc5

Threat Level: Known bad

The file f0c81b8c2d9d3804826e6c70a7dc11c0N.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan spyware

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Identifies Wine through registry keys

Unsecured Credentials: Credentials In Files

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Checks BIOS information in registry

Loads dropped DLL

Reads data files stored by FTP clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 08:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 08:10

Reported

2024-08-14 08:12

Platform

win7-20240708-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\d93ed97ba7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\d93ed97ba7.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2612 set thread context of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1324 set thread context of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\e8504f641c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1288 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1288 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1288 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2448 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe
PID 2448 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe
PID 2448 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe
PID 2448 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2612 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2448 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\e8504f641c.exe
PID 2448 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\e8504f641c.exe
PID 2448 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\e8504f641c.exe
PID 2448 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\e8504f641c.exe
PID 1324 wrote to memory of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1324 wrote to memory of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1324 wrote to memory of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1324 wrote to memory of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1324 wrote to memory of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1324 wrote to memory of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1324 wrote to memory of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1324 wrote to memory of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1324 wrote to memory of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1324 wrote to memory of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1324 wrote to memory of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1324 wrote to memory of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1324 wrote to memory of 1264 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2448 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe
PID 2448 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe
PID 2448 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe
PID 2448 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe
PID 2928 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2592 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2592 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2592 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2592 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2592 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2592 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2592 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2592 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2592 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2592 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2592 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2592 wrote to memory of 2148 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2148 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe

"C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\e8504f641c.exe

"C:\Users\Admin\1000037002\e8504f641c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.0.1832647455\1064450107" -parentBuildID 20221007134813 -prefsHandle 1268 -prefMapHandle 1252 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7af2f12f-c8fb-4f25-be1a-b2f8364b5ced} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1344 13007058 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.1.582703326\1808130173" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1528 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f47b87f-e5e7-42da-a510-4f95e4edb867} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1544 42eb558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.2.869826310\167826436" -childID 1 -isForBrowser -prefsHandle 1952 -prefMapHandle 1948 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19b5a899-ed00-42e7-9881-108743dae0bf} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1964 14d54a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.3.241861758\1533543536" -childID 2 -isForBrowser -prefsHandle 2540 -prefMapHandle 2536 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41cb24a6-6bb9-4e44-8092-283b83156df1} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1716 e6a458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.4.1876412200\2024881064" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3728 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e6d30f2-d057-41fe-94de-ca7c79696ac8} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 3744 1ef59c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.5.88212847\986315702" -childID 4 -isForBrowser -prefsHandle 3856 -prefMapHandle 3860 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {480caac7-c765-472d-bfaa-cfd7aec9536c} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 3848 1f517258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.6.121001876\1499746931" -childID 5 -isForBrowser -prefsHandle 4016 -prefMapHandle 4020 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21f1cc53-56ca-4c31-854b-6682feda4aa8} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 4008 1f519c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2148.7.1426908291\900042995" -childID 6 -isForBrowser -prefsHandle 4364 -prefMapHandle 4368 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c67f178-da77-47e6-adf0-1220b1b3a9fc} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 4380 e5ea58 tab

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49299 tcp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49306 tcp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5---sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp

Files

memory/1288-0-0x00000000011B0000-0x000000000166A000-memory.dmp

memory/1288-1-0x0000000077420000-0x0000000077422000-memory.dmp

memory/1288-2-0x00000000011B1000-0x00000000011DF000-memory.dmp

memory/1288-3-0x00000000011B0000-0x000000000166A000-memory.dmp

memory/1288-5-0x00000000011B0000-0x000000000166A000-memory.dmp

\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f0c81b8c2d9d3804826e6c70a7dc11c0
SHA1 17515f05154788c2c974890c754c5a925b2f54d1
SHA256 3b1d6e7f53b18c7b220d7017d996716e071ec4616d15cd117d7fc2d6fac0bdc5
SHA512 3807f57b2154f2e29b78c00e11c0c95ef4f9579251804c7f2279aa63f5f36762c4e22f3f9116b11cd11fdaa8575570533fd83f2422a1317f6037560b325d7ab5

memory/1288-13-0x00000000011B0000-0x000000000166A000-memory.dmp

memory/2448-16-0x00000000008C0000-0x0000000000D7A000-memory.dmp

memory/2448-17-0x00000000008C1000-0x00000000008EF000-memory.dmp

memory/2448-18-0x00000000008C0000-0x0000000000D7A000-memory.dmp

memory/2448-20-0x00000000008C0000-0x0000000000D7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\d93ed97ba7.exe

MD5 75a2d87eafbefb74dc8bab6fec16cac1
SHA1 c3decd95d7e19c4dbd1d7b9e409eeb4861c6f369
SHA256 0027e27dcdc31f32e1159f82034ce00169ec7e3b487999d95997c519e0e7d40a
SHA512 1b6c9ad97b74f639d26fd6d3af7c218f04ef08b77f6d6a67c05350c2965941472592fc6cc9c878644e686532295a20cc23d95ca5db4b62a86ec440000079c5f4

memory/2612-35-0x00000000011E0000-0x0000000001312000-memory.dmp

memory/2928-39-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2928-50-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2928-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2928-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2928-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2928-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2928-41-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2928-37-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2928-51-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2928-53-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\e8504f641c.exe

MD5 a8d6928ee3efb9ce0d4735bb7fe15d4d
SHA1 b7588c0db721613d6d878f57a79055f73a14c607
SHA256 955a439d5bd2b53a05e15f9a8cfcd769ce37e035095e2172030810ebfe46b5a0
SHA512 1f4d026ace9c9d31a6fcfedebaaed5b508d08dfd080a3e3eb15b86ddb1c89693adaa5e9e4a6edf8d0cd1457cfeb64fab6da3f68bf0f0fd754c34a18bcbf78088

memory/1324-68-0x00000000001A0000-0x00000000001DA000-memory.dmp

memory/1264-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1264-78-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1264-84-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1264-81-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1264-82-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1264-76-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1264-74-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1264-72-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2448-102-0x00000000064E0000-0x0000000006723000-memory.dmp

memory/2448-101-0x00000000064E0000-0x0000000006723000-memory.dmp

memory/2380-103-0x0000000000280000-0x00000000004C3000-memory.dmp

memory/2380-104-0x0000000000280000-0x00000000004C3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\db\data.safe.bin

MD5 024b5042533f7081429531e3030c562b
SHA1 03bf5b2a3702e08ae56331d356e20dd121ff45db
SHA256 9da9777e4790df54c4788f625a68e9f0c3bccb73cf7c43c20e50ca7e8a07fea2
SHA512 c0d3e0f61c427743c603c127094faeb4de60eb0289666d9ac4e3c242754cfb23a99ecfa6ccc7a2787788c050bc3bab5083eb8f2a506881b7ab613d5bd6263e1a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\d9b545e4-cf08-4ea8-9415-b9f4950527b0

MD5 c011f61a178788b3ad101365c69b30f0
SHA1 1c481772d15d54de72cefa6fb4027bd6bca7ba64
SHA256 e2df2f0e10abf529a135b6e47e0c7099cf05278601de4eaf04add80b74efa848
SHA512 4a5092abdd798ca49e79fecbdd6c79182a4cf8900cb1896ae870cdc40bfdca11415ef5be5c98f2c0ec985e198d4e757b3ed5f3d389b9e13fa2e17ec9bbf5f883

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\81a6bdbc-9e3d-4c40-b9e4-af1e4d69d8e4

MD5 92a082e126d323abaa3140e0cd82d45d
SHA1 706029c56eb991662daed10069e10fce56f47939
SHA256 ccb8ea228ac929336605e91b642d928c9968afd5e9c9422ac76b257958c4bbf7
SHA512 081b648f15d06904b392aa3da7bd7141d0fd38f4d76b214aa8421b7fae272030bd4dced418453426d5d593802f6beefe4226a6a06d7523666eff91c5129d2fb1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\activity-stream.discovery_stream.json.tmp

MD5 3f71e2ddeb75af4b3faff1a794242de9
SHA1 d5ca83f84148fc64e36e629df14bf09b40318e67
SHA256 555b02fbf9d1e44ecb72278794a376e481dcf7c9c83b71bea84741fe6b1bef1f
SHA512 6ec2977e32e13619f574873c71e2dba46a0c458af2f8260717ed52a5b2ac9ac75e6d2847fe699aab1a2f9eefd911a0f3c7383d1ab863a16466321a6e50198906

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 ad433daea64ba9329d6552451e240f44
SHA1 5f5087e5a2ea95f1b89b35d70808891d974d6c9d
SHA256 4ec6eca8436fcd2bc46e56ea57205ea8a20b25550dcfed6f2b29a0a4ad2c9c79
SHA512 01aa30a9a07306ccc7688a9a6d9cd1c880c99e8af07d7332f83e5c0809399d70dbe971ac2a3e4c7df2887af413fe13a97d9eb8be49a4fe9f5395e071b50028d8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs.js

MD5 c2ce246b108b4734ef1888fc12848185
SHA1 2b61de262fc93022163be6f0be208ec447962686
SHA256 0efdf83e572333869ea273757a7b67d3c732a6d38fb18a88d09dbe192f3f337f
SHA512 372c78d99e6f51ed842c6e1e00860a5d2899cdb3d53d0fc2f62d06acc5b0af54e2d4aadbb1e84cb4ecc1b0e3ba22b256b9089e5d7aeb532c8e36f63c3de2bfff

memory/2448-223-0x00000000008C0000-0x0000000000D7A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs.js

MD5 71883ecaeae667543f7629d88aab69b0
SHA1 7672a7e68331bc135d7254edce2ece36bcb03c74
SHA256 29b5c73c669272ec973e4dc381a7c919b16e9763f646a12db33c3c9ca222c118
SHA512 aa954b40d339096d6794a6c04cca19f7c8e05b73e5bb87ddfd432f0fe5b7589daf34d4dda6a469c107185a345e89ecdae2173f494913febb2d1acc6be1f64a50

memory/2448-257-0x00000000008C0000-0x0000000000D7A000-memory.dmp

memory/2448-283-0x00000000008C0000-0x0000000000D7A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d173bbe57d5121c2283325d6d107d156
SHA1 383346a9df586a18e4e2c7f0c2889a23cf701ea2
SHA256 feb9a94ed9cdfe7c6102206c93e1ea4ba18bc2c490ac21985ec89b8ee652f33f
SHA512 c5f33fab8c86d36b900a35468b121eff85fef50aec9885ffcdd6c8b05cfd0996b84c2a91e0b3ffe5f8fed14a95800b63b13dc49c7be78d7ea0fbe72f8ad40414

memory/2448-293-0x00000000008C0000-0x0000000000D7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

MD5 7858bcbdf23b7f4acc8bc829fb3d36d3
SHA1 c90b20a227ec5faa1728974d9ec86be56462d7ad
SHA256 95da5e83b355e704b1c0adade313039692e8ff6dedd6b5c07cfb4fe27c82113c
SHA512 a6c3feba56383a881c7e627b5843f315b159e2a2743ca82fcabfda60b2d26e2b8fbaf16c5abf2a9b0fc91cd36cd879a25680463093bacfaecebc2c8747e978ea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

MD5 e50cfce541ea774c6d44d61c1c1dd3ea
SHA1 de919a7ad32a7f99209bd05df4684f64f2821ca1
SHA256 eca9f09884e3f005d26da3a6129e09684b77adeed3b3585d0ba36a2632a1b656
SHA512 44aba0b38b807bf3e8c23685d8e73f653f3e7ae15ea205ec75a8d9404efa1ffee74949123b2cdf186c27535bb79f239d1b1134fec234c1fe6dd1bad1001fca67

memory/2448-340-0x00000000008C0000-0x0000000000D7A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 e851e09a264e029f640030ff14db942f
SHA1 d9190bdc47eea4aa5943d0f9da4a22695bdc8b40
SHA256 4fa8a49ddac85a5928fba0d92ae9e772ee406640444734c741929862ea786da2
SHA512 dfe9b4d6b1af3f2326daf890998b6ad7251bcf5f249d0f3f2de91660ea48e3173119098ab988a95c8afaa32af0e2cbc9aa58d934249990e70e32bd506253d25d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/2448-386-0x00000000008C0000-0x0000000000D7A000-memory.dmp

memory/2448-388-0x00000000008C0000-0x0000000000D7A000-memory.dmp

memory/2448-399-0x00000000008C0000-0x0000000000D7A000-memory.dmp

memory/2448-402-0x00000000008C0000-0x0000000000D7A000-memory.dmp

memory/2448-403-0x00000000008C0000-0x0000000000D7A000-memory.dmp

memory/2448-404-0x00000000008C0000-0x0000000000D7A000-memory.dmp

memory/2448-405-0x00000000008C0000-0x0000000000D7A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 08:10

Reported

2024-08-14 08:12

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08bc458f26.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\08bc458f26.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1784 set thread context of 5088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 set thread context of 1680 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\e8504f641c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1468 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1468 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2500 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe
PID 2500 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe
PID 2500 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe
PID 1784 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2500 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\e8504f641c.exe
PID 2500 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\e8504f641c.exe
PID 2500 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\e8504f641c.exe
PID 1512 wrote to memory of 4456 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 wrote to memory of 4456 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 wrote to memory of 4456 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 wrote to memory of 1680 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 wrote to memory of 1680 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 wrote to memory of 1680 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 wrote to memory of 1680 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 wrote to memory of 1680 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 wrote to memory of 1680 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 wrote to memory of 1680 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 wrote to memory of 1680 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 wrote to memory of 1680 N/A C:\Users\Admin\1000037002\e8504f641c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2500 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe
PID 2500 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe
PID 2500 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe
PID 5088 wrote to memory of 4836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5088 wrote to memory of 4836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4444 wrote to memory of 3492 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe

"C:\Users\Admin\AppData\Local\Temp\f0c81b8c2d9d3804826e6c70a7dc11c0N.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\e8504f641c.exe

"C:\Users\Admin\1000037002\e8504f641c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a36b629c-b193-4627-a20d-84f768002912} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f385ace4-9bb2-4e39-a901-1fc7fd4d329f} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3224 -childID 1 -isForBrowser -prefsHandle 3360 -prefMapHandle 1252 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7067e201-6649-46a1-83c4-3a6682fc7398} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4056 -childID 2 -isForBrowser -prefsHandle 4048 -prefMapHandle 4044 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6e23ec1-fedf-434f-a71d-334357bcc2aa} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4744 -prefMapHandle 4760 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {882167c8-ba94-4a84-9051-f55a73021342} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 3 -isForBrowser -prefsHandle 5400 -prefMapHandle 5396 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f0af20c-2ee7-4003-80a7-4eddfc5d83db} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 4 -isForBrowser -prefsHandle 5540 -prefMapHandle 5544 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88ca338b-ec51-419a-a461-85bc40c0c601} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 5 -isForBrowser -prefsHandle 5732 -prefMapHandle 5404 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8551ba6-82df-4c72-9f2e-6750cc330ae4} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6212 -childID 6 -isForBrowser -prefsHandle 6192 -prefMapHandle 6184 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28cf2faf-a26c-446e-97e2-8309c30a29fc} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:62258 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 139.54.240.44.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 37.158.120.34.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
FR 142.250.201.174:443 play.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
N/A 127.0.0.1:62276 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1468-0-0x0000000000A90000-0x0000000000F4A000-memory.dmp

memory/1468-1-0x0000000077914000-0x0000000077916000-memory.dmp

memory/1468-2-0x0000000000A91000-0x0000000000ABF000-memory.dmp

memory/1468-3-0x0000000000A90000-0x0000000000F4A000-memory.dmp

memory/1468-5-0x0000000000A90000-0x0000000000F4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f0c81b8c2d9d3804826e6c70a7dc11c0
SHA1 17515f05154788c2c974890c754c5a925b2f54d1
SHA256 3b1d6e7f53b18c7b220d7017d996716e071ec4616d15cd117d7fc2d6fac0bdc5
SHA512 3807f57b2154f2e29b78c00e11c0c95ef4f9579251804c7f2279aa63f5f36762c4e22f3f9116b11cd11fdaa8575570533fd83f2422a1317f6037560b325d7ab5

memory/2500-17-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/1468-16-0x0000000000A90000-0x0000000000F4A000-memory.dmp

memory/2500-20-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/2500-19-0x0000000000D51000-0x0000000000D7F000-memory.dmp

memory/2500-21-0x0000000000D50000-0x000000000120A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\08bc458f26.exe

MD5 75a2d87eafbefb74dc8bab6fec16cac1
SHA1 c3decd95d7e19c4dbd1d7b9e409eeb4861c6f369
SHA256 0027e27dcdc31f32e1159f82034ce00169ec7e3b487999d95997c519e0e7d40a
SHA512 1b6c9ad97b74f639d26fd6d3af7c218f04ef08b77f6d6a67c05350c2965941472592fc6cc9c878644e686532295a20cc23d95ca5db4b62a86ec440000079c5f4

memory/1784-40-0x000000007352E000-0x000000007352F000-memory.dmp

memory/1784-41-0x0000000000D30000-0x0000000000E62000-memory.dmp

memory/5088-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/5088-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/5088-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\e8504f641c.exe

MD5 a8d6928ee3efb9ce0d4735bb7fe15d4d
SHA1 b7588c0db721613d6d878f57a79055f73a14c607
SHA256 955a439d5bd2b53a05e15f9a8cfcd769ce37e035095e2172030810ebfe46b5a0
SHA512 1f4d026ace9c9d31a6fcfedebaaed5b508d08dfd080a3e3eb15b86ddb1c89693adaa5e9e4a6edf8d0cd1457cfeb64fab6da3f68bf0f0fd754c34a18bcbf78088

memory/1512-66-0x0000000000FB0000-0x0000000000FEA000-memory.dmp

memory/1680-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1680-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\c842ebd6e0.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4864-86-0x00000000006D0000-0x0000000000913000-memory.dmp

memory/1680-87-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 a89887a6d1c91ae6ad1608e2ac1ae5ba
SHA1 913d52e99d85c27b49e5f7a6e75baebeb58a644b
SHA256 99531f8e05a91c72d376bbce01164f450c6803f8796e9ef29f54a562354ec7a0
SHA512 af0e527ad4fc17baa7444d781d8bdc666c15223635800b40fca509b46882bf2f261dca4f699d8b3b3ad14f0d1bef94b19c40800170bb20e37968de5461d77acc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\7789eac8-e1c7-48e7-873d-338d235e5706

MD5 0ef90b4ff16807d6f73c5afb616b020a
SHA1 55575525238bca30eb41155de5c578e4a763fd38
SHA256 0a45cdfaaa37b16e30b72aa6d121bf160bd4caaf3a4b7e2abb46197c1a74d603
SHA512 49d51148ae7ab834caf3bff5629735d63a7907abf21589d039272d92d9a2d986faa23dbee4b57286756a4b8f272f556f66303480222aa980fb5e033a58057d09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\a48c6efb-dafc-47d5-aad4-c151e85676ee

MD5 a6e9f5cae82b56f9380464b0c1f54aa3
SHA1 1e0598e702cf193bfb075f547c37c1796eaa7d50
SHA256 2286b7f28b567e83c3ed2927d4629964fca202c2a06a0544b9d26a2efb648fff
SHA512 8ac7c8e51e9bbdd1d4391474605e19c8dec7a32ce57614a51f6ae2e7bca1f55fd4860fd7c13148aa15e1f3f63e77cdf44ea29e06ff9a8a340d8d50c1c4d2d109

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\36d7441e-01c8-4683-8ef2-188c0ce1fa92

MD5 5aaabcd2569316a7b5d483697efd088e
SHA1 3cf04b836126f7c997706947f1f6fa40fe4a96b7
SHA256 32e4f8ccf161b519d1106810c963fbca6cb48bca7704cfe342f56ba3e4a66582
SHA512 858da76c6b909a17e1fbdecbc8982757aa980d010476d581eac2e72ef6ea0e41b17aed7e84044c528dd43c3e17c86e0a4f4e44de1b54220998af84897233f245

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

MD5 e41aed9d2ab8f1465e06781c9b32f3b3
SHA1 fdba6ba7be542651c83a9f5344194c98a116667d
SHA256 5205c14c560bcf735ea6dc74e9dd185758d1d829c6e91e6fc9a7e12544f13e02
SHA512 10489b9a56f9ff2d92b99991e00ab9f7f9605814362505c54916a3fae2a39d9c6fe218087379850b51a55a3ee123fa2bdb5c8375d4943b10e415ae0175344523

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 2762528884c7c063994166752625e130
SHA1 579de7cf3eaa8552faafeb0304bd567d027f02e7
SHA256 121218ec29eaf7448261b752aedbf6223cd21bb740ea77d52f759b806551117d
SHA512 2011a8f52b7dda9d36d6c3ddfade5e1d9e4daf6b76335ebfcd751d91533fa3e0f2307142c72e3fb7911031bdd4a71bff205c899da53c1854143330198741d561

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 9d5ba9e87d526396af63dec218fe905a
SHA1 f068ac59da38a41fa18442f862440d08baed0412
SHA256 a86c4797ff891782db6612a795171fb240daaaf1fde56ca1d0b3c3def1ae856d
SHA512 4ec60f017285f3e5cdaca3e89c152ba277d4d4a339b48b4d5fa12ec376394f51133854d9e34d96de1226e33edf145c5085a26891db899d4927ec8b02c517cd34

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 f41bd91642310cd2c82247b218adcb29
SHA1 ff33b40f3ad7ac68c14b8fe3713fe038003390e9
SHA256 45b8a79fe0e30bb581a4659458a018d1c633d96c459082167f1a47f8f64d7b35
SHA512 a7a176ba1b511d777509785f952c187428a34b92d2046c3efb2fd5c56001d920e1acca772a3dd6667f34eb25627c0e18c46a4e8c945c9b06b2de24bb4c204fca

memory/2500-476-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/2500-483-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/1532-487-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/1532-488-0x0000000000D50000-0x000000000120A000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cookies.sqlite-wal

MD5 97a46af9d60ac374a5445013a8d2389f
SHA1 25a99001ed3fde3e105a2b3c06a351199d10878b
SHA256 98a92311a13feddbb1fbf2ff441c7e4e8639b3a8389f39851b7bf28f7476bc33
SHA512 ecfde194067c3886d45471246b0119730e9975499149c3d2c01683655497820f898c6c4db3bb7f24f3d598ed7a9cf933f95dfcc81a1364fab07ba7d1ddb0a8b1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cookies.sqlite

MD5 2974d52b8f8a3a53836461fb03acb9e8
SHA1 79a2bf92863de9eadfa740e0f8efa28a4701774b
SHA256 e3c367eba4073f3480e0c38fb71fd9703c9ad14eaf8a2160a65368e8f1628749
SHA512 5af11b90ca0db0f886a9d6ccb5ab4c5e42b768b142aa6abacb6b2d56cb0145687157d6dcd064ffa4260c2802c2322b9abe84a7afc5c865a5aa878ee101155a5d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\formhistory.sqlite

MD5 97c1441748d6cc3e5a7030cda7543975
SHA1 f5598a45b101a5404126cd27fbb7f4b70861ee32
SHA256 2015b584b844b091d6a6280d45e9a589ea0feacf5f4b19bdd4cc21c60dbaaf91
SHA512 29d358ec7725038c6648251d8b9c32f3a40458e9c97926e0000ab42f0369b96d1ba5216eeb7c35800c740633dfd3b1e6e6aa73859644bdb9cdccaf2a3516bcb9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\places.sqlite-wal

MD5 e1f7f7ad08180a32892fb02626d74aec
SHA1 9bc2d488b946e6bf223dc8f07883eb7ca9067ce6
SHA256 4ae0abadb4390ac3ebaa8c92550b5385490952a87a6d75f0246711ca56edb58b
SHA512 db58a41cb020390d49e9653fe33b16077c771fe6384b7a5488ffb54bb471aa56e36efd524bb870e08c6c0e2f38c8408e92133b00a4f865100a04b2e430928f5e

memory/4864-552-0x00000000006D0000-0x0000000000913000-memory.dmp

memory/2500-553-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/2500-554-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/2500-567-0x0000000000D50000-0x000000000120A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 be779bdd46415689c3f383bcf5cc9f45
SHA1 2da1112b127b161f93258b223f01c1798f20e4fd
SHA256 fe22efba00bd5dc1618f54c613e3c8d3bdeb5604836a94ea21873b4616bd36da
SHA512 9d173ab4826b14e0351732ff0372ddcf8f604c633b62816a5329d31ae7e6d6cec1453db99db75af0a8a2f470459319f2232a915353c43dd8a5824f348e74a94e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 fa5c863635e3b1c945b6245fdf0a5c57
SHA1 8ae4ea5dc6cdb63e742a5bc0316544a18e4ed1d1
SHA256 63a92478ae4145f6a8af1e3ad71c8dc617401d8e90797f586a408ea84e34544d
SHA512 b39aca32eee8853df84561816bf25e95cf2e40fcdef90c0cb7ce9230a63b12ef49c302084b98b98a3548cbfa0e4e6bc754d1cac064431574afc83a7b10be4863

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 64b3484d426280deedb3d71bacc4e9a9
SHA1 9d3be36b11757f2d085cd7f0161d01f65e903da7
SHA256 68a2ea930ca987b8a03064f8b4b233f8b5a1843f1dc5145a8a0add6cc8a042e2
SHA512 4152bc0f94b601631296cac14f2519eaf9a4039c6ffa687681af14ec727c8497499b367b512924350806995b614ad0f16e81c8c9802453a00fec6a60394daa74

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 0717b12b58793c3abebdfc2e6a89c154
SHA1 6774104b05e349754db3b5bc627058ef0a8ebe02
SHA256 3f6f70219040c6b1813fe3009ba7825760c346cc9aab050673655403427971c3
SHA512 97439004f38505bd8ba92af27c9d575275b0b16821a67bcfc43e55e047e42ce23b8728c2d6723b1d23e8e4b6e91c57d3d7bbe04b12cc84ea3be527cc17f5a196

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 c2f9362ed2803ad5ca1c013ddc09b12c
SHA1 cf4c1338c00a42e1a521c82b474ef5c76d35c65c
SHA256 c277c362e67ab8f50bd0e1256bc574fcd7c3d540f482d0ade238ab7622edd889
SHA512 e211d5c711b11685f787538c4c2314d6a167d99a489f37369230ea7ec0ff9c70967465602aabfb90c82f74c8dcbcab141c7025dcba5fa22130dacac69693fc67

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 dda55429916b4d413fbbb34c48ab75c1
SHA1 77baea4aeb4b59d2dc926216dc4ab7e836df34af
SHA256 36311851256bf2862a057dde3a03f3e0770b6a4d9d41df1c0f36fc9ba2d7ae6e
SHA512 057b0e06a15a1e482015fa9606c51e944720232ce9b753a60ca46f68352a6ae1e73530c9eb8e1053e431602ffd9654a556e943ebf995b8bdff066b9f999904bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 93ff4e854647839c4cb1cf6503e60e45
SHA1 1ff37dbd1f0ff3db2b0db55d50c16fc6655dc8f6
SHA256 189544aff4304705ca64cb5b82e044e4bbb6a1e7f4c81140af45625042bd880b
SHA512 84bcb3a3d4a8f4aa57cafb4862c16149f29e01bfb88623b3503a28fb51942dc9e2709dcd8465a880918f4c3a3d6b630266b29c9e46efff29314f4018fbd6f5c1

memory/2500-859-0x0000000000D50000-0x000000000120A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 758068509ace5fb27afc822df5a707bf
SHA1 c6be17f5214b2798b089833f99ff2ec7fcbed12e
SHA256 3ba8ae4a5543a53b4134e67e6b3fd746285306815b700bebb4600acd3ff03b96
SHA512 a83417364010aafb0dcae28d8b17180c0dd9b3d132b9c9fb27d1faf909165010f19e34ad4803dcdf9dd9452329611ece6bee0eaf10374730947ed8e8d31b1748

memory/2500-1409-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/2500-1902-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/2500-2553-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/5584-2706-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/5584-2714-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/2500-2737-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/2500-2740-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/2500-2741-0x0000000000D50000-0x000000000120A000-memory.dmp

memory/2500-2742-0x0000000000D50000-0x000000000120A000-memory.dmp