Malware Analysis Report

2024-10-18 23:41

Sample ID 240814-l2r5ys1cmr
Target 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf
SHA256 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf

Threat Level: Known bad

The file 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 10:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 10:02

Reported

2024-08-14 10:04

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5dc03dbeaa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\5dc03dbeaa.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2136 set thread context of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 set thread context of 1432 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\0ae611e92b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1672 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1672 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2028 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe
PID 2028 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe
PID 2028 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe
PID 2136 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2136 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2136 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2136 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2136 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2136 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2136 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2136 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2136 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2136 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2136 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2136 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2136 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2028 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\0ae611e92b.exe
PID 2028 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\0ae611e92b.exe
PID 2028 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\0ae611e92b.exe
PID 4468 wrote to memory of 3096 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 3096 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 3096 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 1176 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 1176 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 1176 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 1432 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 1432 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 1432 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 1432 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 1432 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 1432 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 1432 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 1432 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4468 wrote to memory of 1432 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2028 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe
PID 2028 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe
PID 2028 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe
PID 4840 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4840 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1712 wrote to memory of 4744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1712 wrote to memory of 4744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1712 wrote to memory of 4744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1712 wrote to memory of 4744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1712 wrote to memory of 4744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1712 wrote to memory of 4744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1712 wrote to memory of 4744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1712 wrote to memory of 4744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1712 wrote to memory of 4744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1712 wrote to memory of 4744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1712 wrote to memory of 4744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4744 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4744 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4744 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4744 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4744 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4744 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4744 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4744 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4744 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4744 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4744 wrote to memory of 2816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe

"C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\0ae611e92b.exe

"C:\Users\Admin\1000037002\0ae611e92b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53cd63bd-7d36-4592-8d1d-f09f8702cf73} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cded2ef1-25bc-42b3-bf8d-ccdfae4dd588} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2844 -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 1452 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a8b8e0c-053e-4b43-9f62-de07aea41d70} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3856 -childID 2 -isForBrowser -prefsHandle 3848 -prefMapHandle 2928 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d6a7056-f96a-4cfc-b3b5-3b6838778903} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4800 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4792 -prefMapHandle 4192 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ef2c871-5550-41fa-8530-73cc6113471c} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 3 -isForBrowser -prefsHandle 5396 -prefMapHandle 5416 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {110df10c-65ab-474e-bc84-2d98eca79637} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5552 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2ca0008-79ad-4493-a3c3-c8768fc0c0eb} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5768 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a68c552d-dfb4-4b63-8094-69c462e71725} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6320 -childID 6 -isForBrowser -prefsHandle 6248 -prefMapHandle 6252 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90026601-6797-42c9-a5f5-48152472f083} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:58694 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 18.88.81.35.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
N/A 127.0.0.1:58701 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1672-0-0x0000000000E90000-0x0000000001344000-memory.dmp

memory/1672-1-0x0000000077354000-0x0000000077356000-memory.dmp

memory/1672-2-0x0000000000E91000-0x0000000000EBF000-memory.dmp

memory/1672-3-0x0000000000E90000-0x0000000001344000-memory.dmp

memory/1672-4-0x0000000000E90000-0x0000000001344000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 8f051507449e73b6415351694009fb14
SHA1 44beb908fb82d6eafd3050544695b6ffde58c50c
SHA256 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf
SHA512 d8b4aa25dcb073a09d2ae78de0a9eb50e3ea744a65853ed61e5a6a9c6389495b1979cd9ba6f976b2c2cc4b65c588fa62a8482b3a7ffca83cff1499c1394d6a31

memory/2028-18-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/1672-17-0x0000000000E90000-0x0000000001344000-memory.dmp

memory/2028-20-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-19-0x0000000000851000-0x000000000087F000-memory.dmp

memory/2028-21-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-22-0x0000000000850000-0x0000000000D04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\5dc03dbeaa.exe

MD5 a97c9397775e0bf9e8270435d4a10385
SHA1 fc5479bffdf093b01b116a5c11afa5d4bbddbcfd
SHA256 2c84872454e51e5b18e070e7305edf9a164c9e8046d2606335bfe424c748856f
SHA512 d413e31614513d900c17a9fbbc8b9ae17f87bae0047f344897bebdc1612f2e532be27c165a7675a8410f8626e070ee89e287d173a727d26334ab05168d39e8ed

memory/2136-41-0x0000000072F6E000-0x0000000072F6F000-memory.dmp

memory/2136-42-0x0000000000BA0000-0x0000000000CD2000-memory.dmp

memory/4840-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4840-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4840-48-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\0ae611e92b.exe

MD5 fa5cd7b86d35c07d61b9251b3d6813f8
SHA1 d484235241beade85f2ede79d38ba56dce5d59c7
SHA256 1233bbb7a019e56b109ca8606b713aabce6262fb7ff45ea4c854f15380843a96
SHA512 572d502952a422f23bf7d5f633833808d710c934df96cebe2d2fdc938cf4bf585e69ce9c492bc2aa06400eaf34e901ca7b18d9893a47dfa811ac3059023af36d

memory/4468-67-0x00000000004B0000-0x00000000004EA000-memory.dmp

memory/1432-69-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1432-71-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3640-87-0x0000000000B20000-0x0000000000D63000-memory.dmp

memory/3640-88-0x0000000000B20000-0x0000000000D63000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\9fea4a10-3057-40a9-90f8-a1f3f28579fd

MD5 1c4060bed0d42b614640cd9b8aac946c
SHA1 b995a82329bce5e81830f91ba701e454ce9b33f7
SHA256 c76e38ebcaacab6f606cb6e06424a9910fd4d08a67bec4c66538d5f7726354c3
SHA512 b9310449b370df2630a894bc0de162cd83668926e1ad2de2b4e014be4d5243bd65cbc58995d2cea4866a68c4fb01ea2d233c81649766621271a5a98fdc37ac81

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\bd175d18-314f-45e1-9c16-56b5cb2be649

MD5 6e7b03d91cc96eceda2dea3a0605fcf0
SHA1 8db9e9677f8df5c75e9614d83778105e3f8f65a1
SHA256 0da2f355bebadce6b46dc9ea957d09003755b6bfb3d765809fd8569700510781
SHA512 a15be2d11e0996ba70326ea8aa949611d84fae678c6f91236b6db1e1d8d3429eab54b1844ab22bd312d0dcc8e24197fb0c1044b3c50eb5ad3e3d1f4f7bdc00c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\ae5cb4ff-e892-4b0a-86b5-d13936e28ebe

MD5 efc930c48f415ea531d8987563fdb8e1
SHA1 cbbe7dd2496aa3bbcdc2e5d758dcfa17fcb2c061
SHA256 3cf3e41ea1f56c330b209374fe55563e01b18a9136a35c56cd837ffc1b3bc99f
SHA512 f72607a35b59814524917b9c73cdb35f63fd9a55ba4e0f7d921ea8663699a6000abb150a5df62c03f38f76d5cb3cc959228f1bb4cb772fe56236c668727e07bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 5fb58c20572ac69a496706caa2315785
SHA1 77213f70ebe1a667601c2905395defce7af52309
SHA256 e66abd12bfd862903defbf020d9467b5d1bf9f49b2fc65b50a45d69215ac70f3
SHA512 76d6b48159197da3e10e1d9f3604c67dd63faa309d7d0c0659275cfdb27311b05c7be8c2e701ce80727088173d17e4d5e11fec4e68bef75e3158fe4860ca79f1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json

MD5 7e6b3269e2eec67152ca4d906d948dc2
SHA1 29a27c679dfe1dec37ef4c048e34e376e7c20241
SHA256 19e8d54344cf51bf43bf6dbd9534395127d73cfba01ff9671f05266a11db7bc2
SHA512 2beb916c06cc14f2f832a9bbe18f9ada528341267fcbaf877f2654c1ba6357aa18f1696b032e2d966a4259902f5806def87e71a16dd5f38006d043563c127cb2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 5cee3d2234fa5dece3f77dcdb995e915
SHA1 6afc08b6064e19c113866a61c8558b3879f2f51e
SHA256 86da902ed7a948dd803a1fcf694d6ce742a4351621dd6081da7e4aaa2775ef4c
SHA512 cab7a8a5c7038d341475bf88874136752828818f6bc8b524dbe3912063a5a02c4830ed7be8ff322d466e8d93c3927632e6ad42176fb672344942e269c2e9743d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

MD5 e11fdb42a40d05139c422a5bb087c212
SHA1 e3b1cf39ff206441772eeb28cfdaf2e4bf83cc8c
SHA256 d79409af475ad0f211bf2b9cf248b71781dacf2278b91130260ad794fb32a23f
SHA512 5ec91a2f31781172cb60339c37743d43a2fa5947a619fcc7ef28b2dda5064ff28bdc382c10d3f26261152177e74158bf8a5232cf2aa0c7c2802eccec6eec78c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 0076fdf23f5c7feebdb0107a2192e98e
SHA1 222402f9d190fb93f68fd28dcbf0526349f68c0d
SHA256 6506573771271af192410bcab8b451702969943a56b0f3628d6f852871a7d7c0
SHA512 4dc2abab28878a260e53a8c12f2f19085e603ee9101267b5615124673e6e57ff935e0ebac39b62b906b42d031456af1fcf83dce68d4d2c0aafedace1cfbec3be

memory/2028-424-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-445-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-446-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-447-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-452-0x0000000000850000-0x0000000000D04000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 756111da4fc5c532cb635ffaa4bca8db
SHA1 06ef7dd40c5d4e85c11d644f129759fcc153f349
SHA256 dcef3ffbd4c748c505e47b9d19374fe7441e960c6645d1f898116c7462fd3f45
SHA512 3411fb86bfbadfdc6497d641fe65eec3cd19e7af22c84e9ddab200150981c18e7e8a6c210e0cab6007076a3bbf4840a6a3e7c8a59f2a2f4846298ab17cc521bc

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 8653104a1496003ba7bdd0f0fd24ae2a
SHA1 c29c906516f252bcc0e1cb3bc98250082a96c1ef
SHA256 f45df1c398c4a6f5cb06434a7e305637152fe990780d60d6ada548b16cfd8bc4
SHA512 2627fcb1cc97b5558f84cbfe837537123f64bc44c5276bc3e840e60b6cb70695333e9826098b47d7694cda7c497de946d106c85c89963637db3990070919e89e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 9d14af02283d4488bf4529b2900a6f0b
SHA1 ed6d11195c47b3c5d08ba64f519aa91fa41a7dbb
SHA256 0ed334463426583113e81b765a64b845986af2c7f7f493ef170fa52eecc68ee5
SHA512 422dc9b33635ed7d9929aaf0e7c4d1317dd5d697ce04a0dd46c4e529e48580555795e90bd9082d4488237ea494eade974e097ef28242ccc005fb29b2e7032e1c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 4a0812199810a580a24151d7788aafe7
SHA1 3f1d35c9fbe34b13a5a45484e27f97951ffa0ce8
SHA256 dfb34bcfbadefc32f7c661cede992d214add39c53b8b2c3e3e2304b18912b22b
SHA512 0983c12ae117a2e02291a6a8088e957432c160c269e0bc2ed952b1b7e2324482f87969977870d6f1821b38a3bdae5eb0790e39e73c83d6e35371b1be4f619301

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 b8dc72a757f11f8c727a136af1afd534
SHA1 72f21bd3ea65de67c362304d4d5dee8c5c504da4
SHA256 6a70b7ab004f977aaeb6904b43ab12e549adb9be08d49dae7f9ecde8c68d52fa
SHA512 fdf036dc98f1bd5c2f058da124d17a99ca97ec4cd7f747d1e4e8baf324ae0de164249ab974cf47151b72f4d5c7cf0276055ca0cc1f7ab425e93e3f90a8092737

memory/2028-1075-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-2163-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/5820-2347-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/5820-2390-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-2656-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-2662-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-2664-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-2665-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-2666-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/1492-2669-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-2668-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/1492-2670-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-2671-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-2677-0x0000000000850000-0x0000000000D04000-memory.dmp

memory/2028-2678-0x0000000000850000-0x0000000000D04000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 10:02

Reported

2024-08-14 10:04

Platform

win11-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\e6b7eb3454.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e6b7eb3454.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1672 set thread context of 668 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 set thread context of 3724 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\0ae611e92b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5692 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5692 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5692 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4360 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe
PID 4360 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe
PID 4360 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe
PID 1672 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1672 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1672 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1672 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1672 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1672 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1672 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1672 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1672 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1672 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4360 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\0ae611e92b.exe
PID 4360 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\0ae611e92b.exe
PID 4360 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\0ae611e92b.exe
PID 3908 wrote to memory of 3592 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3592 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3592 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3724 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3724 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3724 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3724 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3724 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3724 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3724 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3724 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3724 N/A C:\Users\Admin\1000037002\0ae611e92b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4360 wrote to memory of 5392 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe
PID 4360 wrote to memory of 5392 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe
PID 4360 wrote to memory of 5392 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe
PID 668 wrote to memory of 5560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 668 wrote to memory of 5560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5560 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5560 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5560 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5560 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5560 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5560 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5560 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5560 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5560 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5560 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5560 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe

"C:\Users\Admin\AppData\Local\Temp\9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\0ae611e92b.exe

"C:\Users\Admin\1000037002\0ae611e92b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc32a8e1-e18a-4106-8926-55ad7d0846f8} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34a55b2c-48ed-41d1-b242-016c9cf863a0} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 3348 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42aae668-6b91-41d8-8f6b-80c338e146c4} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3908 -childID 2 -isForBrowser -prefsHandle 3904 -prefMapHandle 2872 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b81ac50c-0284-432f-a511-ed47bf8430cf} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4840 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4928 -prefMapHandle 4924 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24a529bc-aaba-4b7e-abf0-43a89b1d9b33} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -childID 3 -isForBrowser -prefsHandle 5584 -prefMapHandle 5576 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {666008de-7728-4eb5-9a0d-98f8adc04abe} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 4 -isForBrowser -prefsHandle 5760 -prefMapHandle 5708 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f76aa4c2-edaa-4bd9-8184-e5bf6992d98b} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 5 -isForBrowser -prefsHandle 5916 -prefMapHandle 5920 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba007440-d365-4abd-ae1d-caa349536800} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6408 -childID 6 -isForBrowser -prefsHandle 6356 -prefMapHandle 6212 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fbc5974-2bd4-4773-9c52-c675e91ccf13} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49840 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
N/A 127.0.0.1:49848 tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com tcp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 52.111.227.11:443 tcp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp

Files

memory/5692-0-0x0000000000300000-0x00000000007B4000-memory.dmp

memory/5692-1-0x0000000077216000-0x0000000077218000-memory.dmp

memory/5692-2-0x0000000000301000-0x000000000032F000-memory.dmp

memory/5692-3-0x0000000000300000-0x00000000007B4000-memory.dmp

memory/5692-4-0x0000000000300000-0x00000000007B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 8f051507449e73b6415351694009fb14
SHA1 44beb908fb82d6eafd3050544695b6ffde58c50c
SHA256 9bb50c79fcd5eb36eeacb3977ab999d0b63fcf95c1e3cc54447b9fb3dfe336bf
SHA512 d8b4aa25dcb073a09d2ae78de0a9eb50e3ea744a65853ed61e5a6a9c6389495b1979cd9ba6f976b2c2cc4b65c588fa62a8482b3a7ffca83cff1499c1394d6a31

memory/5692-17-0x0000000000300000-0x00000000007B4000-memory.dmp

memory/4360-18-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-19-0x0000000000CF1000-0x0000000000D1F000-memory.dmp

memory/4360-20-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-21-0x0000000000CF0000-0x00000000011A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\e6b7eb3454.exe

MD5 a97c9397775e0bf9e8270435d4a10385
SHA1 fc5479bffdf093b01b116a5c11afa5d4bbddbcfd
SHA256 2c84872454e51e5b18e070e7305edf9a164c9e8046d2606335bfe424c748856f
SHA512 d413e31614513d900c17a9fbbc8b9ae17f87bae0047f344897bebdc1612f2e532be27c165a7675a8410f8626e070ee89e287d173a727d26334ab05168d39e8ed

memory/1672-40-0x0000000072BDE000-0x0000000072BDF000-memory.dmp

memory/1672-41-0x0000000000600000-0x0000000000732000-memory.dmp

memory/668-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/668-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/668-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\0ae611e92b.exe

MD5 fa5cd7b86d35c07d61b9251b3d6813f8
SHA1 d484235241beade85f2ede79d38ba56dce5d59c7
SHA256 1233bbb7a019e56b109ca8606b713aabce6262fb7ff45ea4c854f15380843a96
SHA512 572d502952a422f23bf7d5f633833808d710c934df96cebe2d2fdc938cf4bf585e69ce9c492bc2aa06400eaf34e901ca7b18d9893a47dfa811ac3059023af36d

memory/3908-66-0x0000000000D90000-0x0000000000DCA000-memory.dmp

memory/3724-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3724-68-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\accebe5e21.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/5392-86-0x0000000000720000-0x0000000000963000-memory.dmp

memory/5392-87-0x0000000000720000-0x0000000000963000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\d4e8bb5a-767d-4545-842f-e8367259daaf

MD5 0f6fc61e6b6a0d58382701e7d232fb63
SHA1 0c1ad65c0075cea23df394372b730015d0afbdb7
SHA256 3d70f73badcfd314f4cf648297999731bafff9d36c6a59be572e17f731453338
SHA512 0d871ffbd5613a440eb0d575cc8a33611ff48f5bd7f65dc19eeaf6a3aa472f08bf603bc8e94058cb3b4f8091a5c0fda511e0c0e8009e4b3c4d982ca6041c09cb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\ba5a3d2c-de6b-4b25-890b-6d4aeb79c799

MD5 3747f7332718c445c2f4e527e89b4e1f
SHA1 125e9da8d4859d3c12a64e4d8e1270033059ef6e
SHA256 c4a06f5f887be4d07f204d8934fe716b3949e1b19e64e0727c30e519fb562def
SHA512 c249e81a470b9aad9691eedb1efb78f16244e15792861e71acabc0b01b0a76889c8023a89f9e7278d2e29d14f6247c1970bd51c1db194d85ccb1c9d42656e2cb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\d5cb33db-2452-4ba1-96ad-26bea63daf73

MD5 234f2c22f4dd12bcf1c159a5dcfb9f9c
SHA1 b3ab7537645ca7f5e557495d3f712780d17cd124
SHA256 a6488d029c6e10e15c4ea9af2fb242bf1180bc4efc0e9d98dc1a1a00a2b034ee
SHA512 f45ae8b77b7ef517e189a4625dc65266a98da2b28064808656d5f15bb3401083580d2e35065e041ef520874d235884fdcfb4c11fc8859b5ce65826cc5f11dc0d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 e59ff7699511b552d9f859a21a037d87
SHA1 96c159c149cde9b123c10453e03e315f97fc239e
SHA256 022b693713d9370dc68c14e3b3a4664be16e3d03f536c0ec90b5194a962b7c6a
SHA512 b343ea316d5dc2fe86850ab4854734c8101fca0a1fc2e0253e5fff77ea637a3f3d0a55a5133a8b57eeef044d005d7187167018fcd36787a31ce9d32095b54274

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

MD5 c5d9a7929dcecbeea5ae6a8380c36401
SHA1 4b850b825ac2928f6d14593bd739da28c5187f95
SHA256 cd243807bef42ae8063c85a2814e24b2acd581872897ee03eaefbb106cb5bbab
SHA512 6d4bdcc44f6d1ea1ce65e11cf0f52d1080044040e93f5edcfc60e942a2ef8de33d148a35ff557561c6646ba4b6671f6eef4d36073b70e7c92609545530711e93

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\activity-stream.discovery_stream.json

MD5 03feb84236085c1a652fd4877a8a3b2a
SHA1 bc6b1d0e89dcc19d7b43924c2f34d2d133c657ef
SHA256 c6525453fbd61b05bb83cca141542afabee1f2b36b90a4dc6ce89cb532233fa2
SHA512 de6c450653aef29ea50b75d6980200287a308834643d89e5ebb8a9ed5cd0a046051f09a95999bb537634042e71be7161f5cad9a4dd79bdcc21f1fdfe8977e2b5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

MD5 13e4bcd73b8a906a46de2b958eae0c1b
SHA1 0d5c46d8036bb60fac7b0db5a6fa092a52143847
SHA256 04473540d2a0da80a828723a83735372a2fce684c4dedb34e7fce8096389dd07
SHA512 0d423276425a593cca00c903236eccec8be9a37f0352c621d853fc065cd7526ed4732d33f3db70072868b45ad932a2bfedb47d611f47aafe5762474511f0b1a4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js

MD5 a5e7bf82284e1f6bfd18f85115ab75ab
SHA1 476841880ab788f87e9322a3ad5139fe6015db8f
SHA256 e945f2dda3fa9bb6db9ea7e55647634d673908e8b76717897ff9794eabe1e18c
SHA512 4d2a51e7d4243cc5ac181d9c10c0e66472ffc91a672618f13b20decd3261b9a1781231c0a11dfcb476588655940aa7cddbda5c96af62b5fe03abafb2712ce1f2

memory/4360-412-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-424-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-435-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-437-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-436-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-442-0x0000000000CF0000-0x00000000011A4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 0d6936f3af52275232fc1dbc977f2d50
SHA1 6eb365dd09efe5c2cf73ffbc078cc4360fbe8263
SHA256 1b992fb72d828a408866651ad0674b1900c7165edc61c96e5aed88cd79052e7b
SHA512 b7bfed5d25373c06516ddd4fec783ac26ab5f9a6b7cc2aef123accb299e0b1e711e1bda5719221656e379c54508b7e633deb673ff23405fee6062068d58985df

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

MD5 abf6246b2a689e202e357be55bf677ff
SHA1 d4f9bf046ef3cd95c608b56f353f6e9a5ed9f3fa
SHA256 2f588fe266247db8553c8bb889459ff702afdc491dcbdaa39bc0b690cbe56c28
SHA512 fe05aa0e74984ccfa18aa94c69d688331d9915ae7f666077c1c16821ef1077bf7d6699e4bb782eed05e7f4f1298fd443c8d29c1be53261630dc021af86d5af8b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 65ca350bc733d972ae549c8c4946de77
SHA1 03e437200daf614ed3a37d61d59741536f852453
SHA256 11e8b8c8691369cef09c21bfb5785f8fe9c14f7c39a25fd197b884e0ecccbe31
SHA512 bcd46f6f15cc7c010464eea4c9745644e0fcd9f4b2165e27e53726079c024e091421dbea36f88fd8d9afcc2fb106b16c3bcdafdd72c568b828139d48b841a044

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

MD5 f5d80f8efd1439ebce1f5fc127fd8242
SHA1 21645bdaae77e8f491471a748b408f4498da9347
SHA256 4a77c4a31eb1b98e32ba691d52725a6dc6df57a5b95ae5feb2b4f48f96530162
SHA512 a8187b1f718c036e6d2824ac11c5fa7ca0356a18ec30826d7c5dc91d43892deb8d04193c73489e583fd68d7b1a2a0cc847322610c5d739ed8041bb87b9badb49

memory/4360-1095-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-2186-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/912-2284-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/912-2309-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-2631-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-2637-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-2639-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-2640-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-2641-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-2642-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/2208-2644-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/2208-2645-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-2646-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-2652-0x0000000000CF0000-0x00000000011A4000-memory.dmp

memory/4360-2653-0x0000000000CF0000-0x00000000011A4000-memory.dmp