Malware Analysis Report

2024-10-18 23:43

Sample ID 240814-jpeyrawamj
Target d051474ba32beb9890bd6bdfd587d190N.exe
SHA256 7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593

Threat Level: Known bad

The file d051474ba32beb9890bd6bdfd587d190N.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 07:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 07:50

Reported

2024-08-14 07:52

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1848190509.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\1848190509.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 668 set thread context of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 set thread context of 1812 N/A C:\Users\Admin\1000037002\ff21617840.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\ff21617840.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\2de768c3b0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4856 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4856 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4856 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2124 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe
PID 2124 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe
PID 2124 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe
PID 668 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2124 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\ff21617840.exe
PID 2124 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\ff21617840.exe
PID 2124 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\ff21617840.exe
PID 1964 wrote to memory of 1812 N/A C:\Users\Admin\1000037002\ff21617840.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 1812 N/A C:\Users\Admin\1000037002\ff21617840.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 1812 N/A C:\Users\Admin\1000037002\ff21617840.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 1812 N/A C:\Users\Admin\1000037002\ff21617840.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 1812 N/A C:\Users\Admin\1000037002\ff21617840.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 1812 N/A C:\Users\Admin\1000037002\ff21617840.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 1812 N/A C:\Users\Admin\1000037002\ff21617840.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 1812 N/A C:\Users\Admin\1000037002\ff21617840.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 1812 N/A C:\Users\Admin\1000037002\ff21617840.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2124 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2de768c3b0.exe
PID 2124 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2de768c3b0.exe
PID 2124 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2de768c3b0.exe
PID 1240 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1240 wrote to memory of 3452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3452 wrote to memory of 208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 208 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe

"C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\ff21617840.exe

"C:\Users\Admin\1000037002\ff21617840.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\2de768c3b0.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\2de768c3b0.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d82de824-9f71-4a24-8c49-ae5431fc2aeb} 208 "\\.\pipe\gecko-crash-server-pipe.208" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7361c6b-4b5d-483a-9c44-499532a4b8ba} 208 "\\.\pipe\gecko-crash-server-pipe.208" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2996 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {839c0ae8-1547-48fa-8d8f-c7cfbba979c0} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4000 -childID 2 -isForBrowser -prefsHandle 3992 -prefMapHandle 3988 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {280a9bbf-6ad0-4492-ba6e-5721084dc74f} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4804 -prefMapHandle 4796 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99e79f77-df30-4e48-845a-6aaeab8e1958} 208 "\\.\pipe\gecko-crash-server-pipe.208" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5288 -prefMapHandle 5276 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22f10e89-a39a-4e0d-84e5-59e1b66d38d7} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5500 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7175bb2e-1eb2-4430-b905-7495ddbd450b} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5260 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca1ce26e-d076-41de-808d-cb4004b7e779} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6192 -childID 6 -isForBrowser -prefsHandle 6168 -prefMapHandle 6172 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b97b3548-a7a6-4c70-a98b-80a270aea2c2} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:57681 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 34.42.82.35.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
N/A 127.0.0.1:57688 tcp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 41.187.194.173.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4856-0-0x0000000000D00000-0x00000000011B7000-memory.dmp

memory/4856-1-0x0000000077854000-0x0000000077856000-memory.dmp

memory/4856-2-0x0000000000D01000-0x0000000000D2F000-memory.dmp

memory/4856-3-0x0000000000D00000-0x00000000011B7000-memory.dmp

memory/4856-4-0x0000000000D00000-0x00000000011B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 d051474ba32beb9890bd6bdfd587d190
SHA1 8a7d008fdedc8efd7ac43b071f0b1d9d4e3b2156
SHA256 7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593
SHA512 ca17f5aa86bd09cddfa2e52967f248d9f7245e66fe6018fd93d83e22f88a66c6da0558416171c3d9857776d60e15839a613ad8c23e2ffd1a904bca63731a669a

memory/2124-17-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/4856-18-0x0000000000D00000-0x00000000011B7000-memory.dmp

memory/2124-19-0x00000000007F1000-0x000000000081F000-memory.dmp

memory/2124-20-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/2124-21-0x00000000007F0000-0x0000000000CA7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\1848190509.exe

MD5 75a2d87eafbefb74dc8bab6fec16cac1
SHA1 c3decd95d7e19c4dbd1d7b9e409eeb4861c6f369
SHA256 0027e27dcdc31f32e1159f82034ce00169ec7e3b487999d95997c519e0e7d40a
SHA512 1b6c9ad97b74f639d26fd6d3af7c218f04ef08b77f6d6a67c05350c2965941472592fc6cc9c878644e686532295a20cc23d95ca5db4b62a86ec440000079c5f4

memory/668-40-0x000000007346E000-0x000000007346F000-memory.dmp

memory/668-41-0x0000000000DB0000-0x0000000000EE2000-memory.dmp

memory/1240-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1240-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1240-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\ff21617840.exe

MD5 2c4259fdd59fc26f2f365501a0ef9da0
SHA1 33773ad2bcf65c0caa9b9ecac510f72313ebe285
SHA256 6080c330d14f3a0b896ae3eed7e44b63f632bdb8d96e39dce5a179be2f06d362
SHA512 295e85660ca4139456b884d30907a4cb4ff44ba07980472db3eaec70b8998ca1b956f91717e98f860507eb2e15286f4b188a5744e1be73cada50b6c51a55acf9

memory/1964-66-0x0000000000700000-0x000000000073A000-memory.dmp

memory/1812-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1812-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\2de768c3b0.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/5096-86-0x0000000000850000-0x0000000000A93000-memory.dmp

memory/5096-87-0x0000000000850000-0x0000000000A93000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 0bea0485ae4f385a62fd283d23ac72df
SHA1 f38d9afec0d18e52c6300013060fe9e02882f965
SHA256 33bec790e512ef14da50e7dd43310e5fbce1283d15c7989e079cfc7480683c1c
SHA512 08fae0c992f78292a863a46f4129283b8f4a3dde8a62de10b8ff9b25fe0b727bca32fab417b9e65e26eba59163504ac7b68a39324189a3b08a399d8c7ccd3977

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\3c0517b4-82e3-4f63-826c-ec64fd7a5185

MD5 9a9f136021b92378ad3f63f9bd798569
SHA1 fc1b5b62ccf08e64d4de2aaee6fd69a91ee92ec5
SHA256 38cba3f66d5e38e2f5b4af85c120844ddc6c962d77c7ed2ead68dbe272569fb6
SHA512 914412e24a940cc7b3dd5a8d5294c2b4830b60ca41ea37cf31207c5b843335c1e225e0f089310007efdb6a76c9295cd2042851aa1afeed96ea0639d2d1447b45

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 587839e97c0cd15dbe2b11e38c85349c
SHA1 60b0e1fbe7e93229c219c4f151f7f0e59f04cb85
SHA256 cd5553537ee5d95540eb367e57287851c5180c20901a6c002b7131625c0a0f7a
SHA512 cc78f61a1cf7c43da6424c89c53c448a386cbc73e819f6b0226c52fccddd2a769fdd8695eae540bd51c61224b62ff0137795d25d94e923c2d721d9920519bed1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\8a37fe27-1704-426a-af72-e69a3a21675b

MD5 7991e57a86567a64b6e1ad8893e739f6
SHA1 4169aa24c91ab17139ad5bf7186e96c51df8b2f6
SHA256 9c4bd9591e59c8154409f82d1735fcb431ce7e225913171afc51efdb9b54c0f2
SHA512 af2d8dfd2e6de04d32802a8b965beb87ad69b62b052cd047e57104bbeca9e7d6e780da0716e02ce706eb017eeed3ca42d2c87cea5f4e44c31b2cbc737c768168

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\c34d13ba-08a1-4f7e-a25d-066fe58c0a4b

MD5 a84d8b2ed501dc49e035fa2bbb6517c9
SHA1 d8b2311507fb359f35bd04fa5f81397fa3c18515
SHA256 3cae1a049aa300c46d09bc458b313b495372a66c5108dbaa43965187ce753592
SHA512 3736cc73a4dbffb31c6854764d2483fba66b76239dc971c0782e771abba0951c3a4276bb7526259032e0ff11d060d271708d8d7bcf19d47a2aa1b66301219c68

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json

MD5 29c44804d1a160c589c1019097fa41ba
SHA1 0c4eeef03bca8de481c7658a4289b25302f204a5
SHA256 f1854c6e4fc57146aa81387dfbeddda2f4311651e247872d747d0518d502bc45
SHA512 3f85e3511b7a2649e1327c0223bbc31a82fc0b092c1506baa9d36d7991c5cc0f617d32fdd6b9a212338e44b9fb90512b7ce331d39aca9012bcc7031bd74a7c29

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 c1da63efb21c158f5547273591c2b919
SHA1 1b2ff6e5d76b742e29956b48b61fd11b9f9d511a
SHA256 913bb79adaf8f33443ff866d8460e1fa8b468bd56b4476b0c6b4a3a59621c8ca
SHA512 97d14d0bc109000384037b61b6ad9148348674cb47c379ec56544734f8805c31b3ec83ffaf589cfefbe60e3b71fd6105b6f68a3c5cf2890fa98bbbbfe95480ef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 434d6a5c911a1708687427cea5ab8add
SHA1 b3d81e8acf0f9b37b9c1021defa69970a897910e
SHA256 21bb1dbb73d12c902e5530657d6052f74354ad880adfa8c5875df28a9ba8ca31
SHA512 962b4e62fcac4181b7f79a021e958722945f0de589f055861c7012525eb253dc52dc3a647178cf28c12a89b1bf1b4cbefa52a23c02887b9ebe6d15897b4fd9af

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

MD5 655e4ea198b8854d210e7d2b57435497
SHA1 a6dd377a18ed3c5206b11387e0cfc28ec9b63b18
SHA256 55faa436e32509097e5ca26f08cd3bf407ebcb8462ba934694b064397ca93b4b
SHA512 8e4916dd3c0dd98f5a5fbc5d2c2a46ac5b74b73565fc3a14d75c59d6aa3644d6fff5c4529f492ef4ce981b084369d889bfac76b88a193ba4c7050f465b083e36

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 555f478b885cfd2dd35c005888062519
SHA1 8a5f2d69458025191f79f1e08a23c88a00e62356
SHA256 55f9defba4c651c72fab20ae5bcfb96c3fd19253dd9c58e0f077bb816a253e11
SHA512 1e5693bc58ee08905ea0e159580c8f5a4ecbeb648471186c33e7acf0c81a71734112c59b3d4849854314f77f7150e78110dde53a19d5d4e5d5faca436364722f

memory/2124-423-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/2124-444-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/2124-445-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/2124-446-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/5696-453-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/2124-452-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/5696-454-0x00000000007F0000-0x0000000000CA7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 c3da2d59a2daaaf042e9df048af83076
SHA1 c744fdd12a9e99ee89c8f402d46ca530a2875998
SHA256 5b8131f16f2a0ef358c8d0b05afc75c7ebbdca1d77eeb22b0e21dc606348a62e
SHA512 0b9315327ba47d2f7864368e094847f981a6e9f010fccbfe08f4e71d8cf1f886260ef409300e6b1b173bb7b7c2d54d739c8f39643b3b2bd4cb4043dbee400037

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 2d355db19309ce2b613d0a91a797f3a8
SHA1 06e5d606c3e0b192799072e67318a9842193eaf1
SHA256 98d094baa6fab16b16e6072e5e464baf61bc2deab213b3bdf6a5378c9f7d4b49
SHA512 01ad507749f2a8db8cd61fe68078a8c33f8964df93807b8294a64360004fd45c77ef1f6533089c71535a97ddb463b96e2074dfa21da04ca361f51b37ddb6b92d

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 cc27b182efd20a20d141cc3266be586f
SHA1 ed13c6861af9484ab1a076e012c0e05061d398f2
SHA256 f684b0c1c6e8cf55a04e4f5117c74d58b204619544b040c117bb6a8f39979be3
SHA512 e0e7f3b1f41e4d11be9a701fd38958b7cfc8e9fd508526bba31481b83348845eaca1d2b8008c8691c2edc8ffeb1d3d53ff97474a4227fe3ec936c09b7733461e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 48baee34abdc24812ce42735764288f0
SHA1 7f228d6a452d5a8c929fe5f6ab1fc33aaf5b106a
SHA256 d4ab0a53780797a72093b33ee44f4a81aeb1663ee2fc624ac85d63de553c28de
SHA512 e38e5432a29fc7d9c817b2c3e4eade705e3f7c0ecf0c27e5d5c774f90677bc988df48c909a4d3d9f916ce4a542a9c397debddaee0e50a5ad7712b79ba799bc0e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 f8a4c24b1b6a8c6c6031743ccdec8a16
SHA1 ef1aa54e79f366c3045b097094ddf342dbe71448
SHA256 9ec04aba5aacef03f1e413075dbb61569dd990697c5f1e3776d15020fd55dfe6
SHA512 d5e7e17c036f58f56e7cfac9da591fec4b39f22ff915fd287f560a300a3f795213583c945aa48632efdb32a33cd5c6dce65a6820aa82142e10903382cbda47dc

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2124-985-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/2124-1943-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/2124-2659-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/2124-2664-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/2124-2669-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/2124-2671-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/5572-2672-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/5572-2674-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/2124-2675-0x00000000007F0000-0x0000000000CA7000-memory.dmp

memory/2124-2676-0x00000000007F0000-0x0000000000CA7000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 07:50

Reported

2024-08-14 07:52

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\c1d68db2a0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\c1d68db2a0.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2916 set thread context of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 set thread context of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\9c1186eb68.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\1848190509.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2236 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2236 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2236 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1720 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe
PID 1720 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe
PID 1720 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe
PID 1720 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2916 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1720 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\9c1186eb68.exe
PID 1720 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\9c1186eb68.exe
PID 1720 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\9c1186eb68.exe
PID 1720 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\9c1186eb68.exe
PID 2164 wrote to memory of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 1688 N/A C:\Users\Admin\1000037002\9c1186eb68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1720 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\1848190509.exe
PID 1720 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\1848190509.exe
PID 1720 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\1848190509.exe
PID 1720 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\1848190509.exe
PID 2368 wrote to memory of 1032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 1032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 1032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 1032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 2052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2052 wrote to memory of 1628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2052 wrote to memory of 1628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2052 wrote to memory of 1628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2052 wrote to memory of 2128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2052 wrote to memory of 2128 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe

"C:\Users\Admin\AppData\Local\Temp\d051474ba32beb9890bd6bdfd587d190N.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\9c1186eb68.exe

"C:\Users\Admin\1000037002\9c1186eb68.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\1848190509.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\1848190509.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.0.1328700268\1084139036" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1188 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35161ff5-cb76-46fc-bd92-95417f31fd65} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 1368 fceed58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.1.1233458885\1736123019" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1528 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea1306ee-7934-46e4-91ce-d960efb31554} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 1544 eaed358 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.2.1119926642\827854634" -childID 1 -isForBrowser -prefsHandle 2024 -prefMapHandle 1124 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b862df2-511d-48bc-8b23-54fc34584e80} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 1912 19fdae58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.3.1622216041\430174540" -childID 2 -isForBrowser -prefsHandle 2564 -prefMapHandle 2556 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {390ca608-3fde-4764-ba24-f626912ff78f} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 2576 1c1f5858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.4.1416224884\1595242534" -childID 3 -isForBrowser -prefsHandle 3924 -prefMapHandle 3920 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a56a828-fcd7-4a3e-9138-9f2dc7cbdaf2} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 3936 20ef6658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.5.60694515\379550003" -childID 4 -isForBrowser -prefsHandle 4048 -prefMapHandle 4052 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfc7977c-3458-49f7-b782-d326c60d13ed} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 4036 20ef4b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.6.1638735995\612409507" -childID 5 -isForBrowser -prefsHandle 4208 -prefMapHandle 4212 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fbbeaa8-5936-478d-b7da-f5cbd2065603} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 4128 20ef5158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.7.505813574\1786568185" -childID 6 -isForBrowser -prefsHandle 4344 -prefMapHandle 4444 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2786f5f0-94a5-447b-9b44-5459e23a25b5} 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 4456 1b3d0e58 tab

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49298 tcp
N/A 127.0.0.1:49307 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
DE 74.125.163.138:443 r5---sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp

Files

memory/2236-0-0x0000000000B90000-0x0000000001047000-memory.dmp

memory/2236-1-0x00000000771F0000-0x00000000771F2000-memory.dmp

memory/2236-2-0x0000000000B91000-0x0000000000BBF000-memory.dmp

memory/2236-3-0x0000000000B90000-0x0000000001047000-memory.dmp

memory/2236-4-0x0000000000B90000-0x0000000001047000-memory.dmp

\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 d051474ba32beb9890bd6bdfd587d190
SHA1 8a7d008fdedc8efd7ac43b071f0b1d9d4e3b2156
SHA256 7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593
SHA512 ca17f5aa86bd09cddfa2e52967f248d9f7245e66fe6018fd93d83e22f88a66c6da0558416171c3d9857776d60e15839a613ad8c23e2ffd1a904bca63731a669a

memory/2236-14-0x0000000006B80000-0x0000000007037000-memory.dmp

memory/2236-16-0x0000000000B90000-0x0000000001047000-memory.dmp

memory/1720-17-0x0000000000C00000-0x00000000010B7000-memory.dmp

memory/1720-18-0x0000000000C01000-0x0000000000C2F000-memory.dmp

memory/1720-19-0x0000000000C00000-0x00000000010B7000-memory.dmp

memory/1720-21-0x0000000000C00000-0x00000000010B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\c1d68db2a0.exe

MD5 75a2d87eafbefb74dc8bab6fec16cac1
SHA1 c3decd95d7e19c4dbd1d7b9e409eeb4861c6f369
SHA256 0027e27dcdc31f32e1159f82034ce00169ec7e3b487999d95997c519e0e7d40a
SHA512 1b6c9ad97b74f639d26fd6d3af7c218f04ef08b77f6d6a67c05350c2965941472592fc6cc9c878644e686532295a20cc23d95ca5db4b62a86ec440000079c5f4

memory/2916-36-0x0000000000840000-0x0000000000972000-memory.dmp

memory/2368-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2368-51-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2368-52-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2368-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2368-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2368-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2368-42-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2368-38-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2368-40-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2368-54-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\9c1186eb68.exe

MD5 2c4259fdd59fc26f2f365501a0ef9da0
SHA1 33773ad2bcf65c0caa9b9ecac510f72313ebe285
SHA256 6080c330d14f3a0b896ae3eed7e44b63f632bdb8d96e39dce5a179be2f06d362
SHA512 295e85660ca4139456b884d30907a4cb4ff44ba07980472db3eaec70b8998ca1b956f91717e98f860507eb2e15286f4b188a5744e1be73cada50b6c51a55acf9

memory/2164-69-0x00000000009C0000-0x00000000009FA000-memory.dmp

memory/1688-71-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1688-73-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1688-79-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1688-85-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1688-83-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1688-82-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1688-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1688-77-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1688-75-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\1848190509.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1720-102-0x0000000007080000-0x00000000072C3000-memory.dmp

memory/1944-103-0x0000000000ED0000-0x0000000001113000-memory.dmp

memory/1944-109-0x0000000000ED0000-0x0000000001113000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\db\data.safe.bin

MD5 92d4357da2d94314458ccd1e444d5c92
SHA1 c1f69fe0d5b4f5b264a40fa2450cff18759a8abe
SHA256 267ac139103186ab0f79a5b8b06d3b4e1abba86e24fcfe523d043caef2e2190a
SHA512 d19f0089d782fb9ae41347d0b6251eea476b7320026e1311e41e547a7b1ffe89c94db9f401c4f00fbd3dc612879bc444ca3961ea941ee553c1510cbd087cef55

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\8609d5e0-135f-4d48-b691-65073278339b

MD5 e21b16f9ff32bdfc7a9c183ade6082ce
SHA1 adb83d034020748b1748d22df55d5290eda37ce2
SHA256 f9302d53b1a3b82b9172f4df4bd0053ebb1d3d36ae9c9dcf93cdb66e010f97ba
SHA512 bb365c524ee1f9773253785a272c516d20aaa21ad491f2d07eea7d64fa2b8eadc714d16210f60ccc5dc7317e4fb5e6931e9a98bf9336d433e6f3bbf54d2bc6fe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\979317eb-0345-40c1-9cd8-631a81910dd4

MD5 a0ea04288a9e79ce21270a23975be429
SHA1 4ced4876b29ae163e5b7523702685466e877fe3b
SHA256 0406cf1213b524ca571d44d98864d3cef7bbc47ed0b5a01bdd1b45d070a9d55b
SHA512 1c91b8cf471eacd90e436f28cdd0a3ccc70379bf91e09295a23b17b85f30778dc7bbe32fa02301d2ba100f361fce947836bda9934f092bff986ba7ea8e4741e1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\activity-stream.discovery_stream.json.tmp

MD5 c0b080e39c9bbcd602488d852f4baf6d
SHA1 14e31ff394ad8880e772a22fe9fa39a009c12501
SHA256 ebd19fcac49b31a897be2b0f86f8c3ef99e3384893f266f00df4c90133ed7b5f
SHA512 f6e11fd7d96f3f53860ab2f45ca7470cd5b6f5190726f0611fc0416308ef495901e936ed7b6c051503e737af68ce2f92202d31ede7b1564c1c77785cac7e90b4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 1d87633c899ebb45778026c301d420f3
SHA1 7931aa594a96450488f4bd2d2be9b60a93dce5e5
SHA256 b1f10b1b2b49f98c914ff552a5421c04140ecad4b2f14c41477b6bf060a73893
SHA512 3f33d00cd23f32a089e283adec5233d802142d256b1ba810c466c379cbdb2b6decb20068256a30bcdca66d731670d135cfc4984dc4cb6791c3653c91915438f2

memory/1720-246-0x0000000000C00000-0x00000000010B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs-1.js

MD5 934d7ecd0d57153981d425c3d6e07eda
SHA1 d2bbb71d65f97756c3453a3d281e479a944d0011
SHA256 9110fc15f03e55d0a4c48c97db8ae6b59463a27de8a08b7a7fccaf6e53aee80e
SHA512 2b19f5939a6b60d7e43be555ae084c301b56725a62f853a4fa661c052cfa13cfb461af538bddf769698c66f3eb3c5633097d48f24173f9acc2150cbd26b4470f

memory/1720-256-0x0000000000C00000-0x00000000010B7000-memory.dmp

memory/1720-257-0x0000000000C00000-0x00000000010B7000-memory.dmp

memory/1720-258-0x0000000000C00000-0x00000000010B7000-memory.dmp

memory/1720-259-0x0000000000C00000-0x00000000010B7000-memory.dmp

memory/1720-269-0x0000000000C00000-0x00000000010B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionstore-backups\recovery.jsonlz4

MD5 9f725cdb08f02bb356030d2a037d7de9
SHA1 7a82f277b77ce4dd7314cd78149f13a4b474e0c0
SHA256 45e742b612e8ec8acc59a2c4bfb8579cdcb557add103b1e7e92a25280bab6257
SHA512 9176059bd9809424591a9eb735d9b4d009cc6b123813075183bc4023c9b2ecdf4068fd0ba9fb2f9f2784c75ca3b69e5fbd994cf66c706e91865ec2d9d69770f1

memory/1720-276-0x0000000000C00000-0x00000000010B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs-1.js

MD5 dc4edf29c641896a9317fd1f7320b715
SHA1 62e90bcea5065895c18828da3b0b92e32ed2d7e0
SHA256 522dc4250e41e99fa76a4db594bb14cfb51ad1143e59fadb2ae873972f753999
SHA512 1bb0f432e884bc1c2ac86f21dce90194ef6c2dc97850f433491f38adda44ee853dbbc0e19d4069224d0d9d7acdec5cbba27d0a06dc9bf8be42f87fea90a242c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs-1.js

MD5 be6ff666fb6478d671ea04096ea65c66
SHA1 cbbbd7405d7f0dd13af4c1561c02a6637c52e244
SHA256 0a8f3750927df311474641a4395ad63d103f3b0d585e3da400ecb97a8ab8cc3b
SHA512 4c1ca4963547b3d1900029ea2fcd939667f9578f76dbbd0e8625ca7f1a290bf5b18ba83f0584989aabd9b474733fe15b685bea268757d7d3c3fd37492b8c74ea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d5ca37c939f562a3dd1d5c0f5c1f5884
SHA1 b4032b1a1c9c3ff124c6bf5b8a375daa0a11eeb0
SHA256 83377f45c29b09b225ff65914dbbdafa3c30d3862772fd9cc33f1e93704c994b
SHA512 b3c289dc65c76551e8697c66895e1f94a915699f7b24d0218cd44ab80f3db632ad76b88efe18315f6596007428c109dbe7ef987d63ac9fda5602276f85f5fc3e

memory/1720-330-0x0000000000C00000-0x00000000010B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/1720-366-0x0000000000C00000-0x00000000010B7000-memory.dmp

memory/1720-368-0x0000000000C00000-0x00000000010B7000-memory.dmp

memory/1720-379-0x0000000007080000-0x00000000072C3000-memory.dmp

memory/1720-380-0x0000000000C00000-0x00000000010B7000-memory.dmp

memory/1720-382-0x0000000000C00000-0x00000000010B7000-memory.dmp

memory/1720-383-0x0000000000C00000-0x00000000010B7000-memory.dmp

memory/1720-384-0x0000000000C00000-0x00000000010B7000-memory.dmp

memory/1720-385-0x0000000000C00000-0x00000000010B7000-memory.dmp