Malware Analysis Report

2024-10-18 23:42

Sample ID 240815-jdlbdswhnl
Target 6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189
SHA256 6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189

Threat Level: Known bad

The file 6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Executes dropped EXE

Identifies Wine through registry keys

Checks computer location settings

Checks BIOS information in registry

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies registry class

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 07:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 07:33

Reported

2024-08-15 07:35

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f53ac07f01.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\f53ac07f01.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 512 set thread context of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4136 set thread context of 2508 N/A C:\Users\Admin\1000037002\74358310d6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\74358310d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\90096ffa59.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2680 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2680 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2680 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4972 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe
PID 4972 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe
PID 4972 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe
PID 512 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4972 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\74358310d6.exe
PID 4972 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\74358310d6.exe
PID 4972 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\74358310d6.exe
PID 4136 wrote to memory of 2508 N/A C:\Users\Admin\1000037002\74358310d6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4136 wrote to memory of 2508 N/A C:\Users\Admin\1000037002\74358310d6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4136 wrote to memory of 2508 N/A C:\Users\Admin\1000037002\74358310d6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4136 wrote to memory of 2508 N/A C:\Users\Admin\1000037002\74358310d6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4136 wrote to memory of 2508 N/A C:\Users\Admin\1000037002\74358310d6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4136 wrote to memory of 2508 N/A C:\Users\Admin\1000037002\74358310d6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4136 wrote to memory of 2508 N/A C:\Users\Admin\1000037002\74358310d6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4136 wrote to memory of 2508 N/A C:\Users\Admin\1000037002\74358310d6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4136 wrote to memory of 2508 N/A C:\Users\Admin\1000037002\74358310d6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4972 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\90096ffa59.exe
PID 4972 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\90096ffa59.exe
PID 4972 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\90096ffa59.exe
PID 4736 wrote to memory of 3476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4736 wrote to memory of 3476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3476 wrote to memory of 4496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3476 wrote to memory of 4496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3476 wrote to memory of 4496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3476 wrote to memory of 4496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3476 wrote to memory of 4496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3476 wrote to memory of 4496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3476 wrote to memory of 4496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3476 wrote to memory of 4496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3476 wrote to memory of 4496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3476 wrote to memory of 4496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3476 wrote to memory of 4496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4496 wrote to memory of 2952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe

"C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\74358310d6.exe

"C:\Users\Admin\1000037002\74358310d6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\90096ffa59.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\90096ffa59.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {859fe949-2f35-41fc-81c3-c1fa9233fabd} 4496 "\\.\pipe\gecko-crash-server-pipe.4496" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d0ce308-2276-45e6-9a57-ee6dac333676} 4496 "\\.\pipe\gecko-crash-server-pipe.4496" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2744 -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3028 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34cba362-2f84-427b-b0da-ded48f087e3d} 4496 "\\.\pipe\gecko-crash-server-pipe.4496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3608 -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 2936 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff5519eb-222b-4e7e-b698-28aa9dc84ea8} 4496 "\\.\pipe\gecko-crash-server-pipe.4496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4064 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4184 -prefMapHandle 4192 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e39db9ac-c1f6-4bcb-92b2-dfa419beda25} 4496 "\\.\pipe\gecko-crash-server-pipe.4496" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 3 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5137fcaf-bbcc-45b7-8f04-10f9f91f1486} 4496 "\\.\pipe\gecko-crash-server-pipe.4496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7725ecf2-edeb-4afd-9cdc-518f51101adc} 4496 "\\.\pipe\gecko-crash-server-pipe.4496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5776 -childID 5 -isForBrowser -prefsHandle 5896 -prefMapHandle 5892 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2d8d8c0-4f19-4a81-a84a-d42173774e68} 4496 "\\.\pipe\gecko-crash-server-pipe.4496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6340 -childID 6 -isForBrowser -prefsHandle 6376 -prefMapHandle 6312 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0bfed21-1deb-478f-b8b7-b6c4513626d6} 4496 "\\.\pipe\gecko-crash-server-pipe.4496" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:56521 tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 34.42.82.35.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
N/A 127.0.0.1:56528 tcp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 40.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 38.132.217.172.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/2680-0-0x00000000004B0000-0x0000000000967000-memory.dmp

memory/2680-1-0x0000000077454000-0x0000000077456000-memory.dmp

memory/2680-3-0x00000000004B0000-0x0000000000967000-memory.dmp

memory/2680-2-0x00000000004B1000-0x00000000004DF000-memory.dmp

memory/2680-4-0x00000000004B0000-0x0000000000967000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 5193ccd3d4b697e58c680bcd4954dd6e
SHA1 1faafc8d8f4ae43f14523d3d9ccab85c6e79af10
SHA256 6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189
SHA512 e2f53360c3e07cc56b140ffa616f4fd0e9f2e6a1df82d8f434db1ff4a0aa5d657edb8b1fb03704980fbad23b240e2196dd67c6000fd1ce8f1732783e86f19c4d

memory/2680-17-0x00000000004B0000-0x0000000000967000-memory.dmp

memory/4972-18-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-19-0x00000000006D1000-0x00000000006FF000-memory.dmp

memory/4972-20-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-21-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-22-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-23-0x00000000006D0000-0x0000000000B87000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\f53ac07f01.exe

MD5 a692e9aa849f2e4ef174116c2c7ff1f4
SHA1 c6a830449f364888bfdf84b93b50bd2091ceb195
SHA256 68418f2dfa408b5d47bd6dd209a2c51d86d946448cdd8533e01aaf663bd37d25
SHA512 0ff667c1371512f4794e97344c220bba2baa4cded3a4b6cd7d628e61f0c171fbca4b607df3c4f323e21c7329cf5bdc565ffa2a2c3bd9ae0a7bac706b7e24b335

memory/512-42-0x000000007306E000-0x000000007306F000-memory.dmp

memory/512-43-0x0000000000EB0000-0x0000000001002000-memory.dmp

memory/4736-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4736-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4736-49-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\74358310d6.exe

MD5 cce7286520fba2ea0ebcb5ded18c5ee7
SHA1 06879b8744cccd54fdd33dcb0c9309e60a416386
SHA256 99a73b9c1d55b09c417d4b106a761619e8733f04569665708dfd6b7c3b03061a
SHA512 f1b350449b3d6bb9f1b234868fd353cadc9a33fac368519589d3ccb24ab60ba1081fe92a363ebecafd49ad066003525cec292dfd6add3c8622bdbc4fa1c7658d

memory/4136-68-0x00000000005E0000-0x0000000000638000-memory.dmp

memory/2508-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2508-72-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\90096ffa59.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2212-88-0x0000000000200000-0x0000000000443000-memory.dmp

memory/2212-89-0x0000000000200000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\4579740f-844d-4925-b63b-4a34811818df

MD5 ff3783f5ecbc7e361e9c98c9ac1b6b2b
SHA1 e015421b1254f7e401d005b909ad653a4c466962
SHA256 205f4e7bd93917fcbab61540a422a901b60a9c58174f9053ac10ccc3d0fb66c3
SHA512 718516b0c0e738fc0707c9132d40f1662283aca050fb2aeec4e13ff32ec498e959baa8cd0847dc67172d569c661c006ed099db23ade218f2f83efef2af2fff61

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\89ea0787-38e7-49d7-8bd6-21254868cbf9

MD5 08f848d2222d1d596f88573e09dabd16
SHA1 64e14cb9486d7aefc28fb284637596057f24465b
SHA256 69942b1a4634dbe1dea922a41bbd122e1199d08f7fce9235db99c740ecc6f621
SHA512 7f6c66af1f822945792c56280e21760d8e60119765b1e7c67647972f1280366b20b8676c8c137dcb703c170f2d9450f830ffbe086225e5927efb36e107af87f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\cf74ca61-5223-4bf4-bacd-c67f950949ae

MD5 dbbe7eb75495697443e4f45c10faf524
SHA1 bb8c52f933fe63507ca761afd64d62ce3ac4fff6
SHA256 47fa670a5b22d7b59eb1b3dd4350431fad723a13dba6202b5f292307dbb82004
SHA512 735c814c83b73c401d1faf3dcb0ad04ef1dd3f2713af5c6c8eb06d92effea5398afc54bb1a347789a91d7dde87c320dbd25585912a5d64872835edde433a8289

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 1b686a3e1096ac3b35133dec1974327f
SHA1 61fd18d8c5985ba4f3fe1de869a09007443698c9
SHA256 caa4372cbe918bfe7254c4529ec5f607fc3c79ac1c2ddfa610030fbc827cc241
SHA512 76b998f4a8a85f1099ae14f3389486767d22d2c39af858c4a90a9d4f4c7f6e154078cbf4322634f688b46a5e7c9a58a36953c74e5d7d8c3ebc97ac428078e9f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 0a5b675be05c530a4fd89ca95e53e1e2
SHA1 75caa3ac31968cd1048011cade3da0978165caa6
SHA256 4b1a280d6809af1286fbb33b74c2a63fb628bd0be8216b2ff1c3d81d1b9b341e
SHA512 18b22ba2f868dac9708ebca1e9906eec6a059bf92ae6c817eb07624b715a2a5931f8bc8dc4ecaa3583ba53662ad3934f0327c18cb297bf1db6c714cdd24d0494

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

MD5 d2046c08ddc1ccfec9a1c2304cfe9872
SHA1 cc52ef70046a5a92357c2cf04c76a6826d7596d5
SHA256 9664e72a78f81e96ee17886dd905f2fc20201c22bc1c5f89aa53674602071129
SHA512 9d1f7e77a8ad19bc571f7c8a6a11f758e5e9a1776b780e4304fa6427cb3a982a98c52518cec61120fdf347698c71a93d2ca043a694c81410b399bc0a2d8bb2b9

memory/4972-377-0x00000000006D0000-0x0000000000B87000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 b6d61ff91f43cfc056b1e17642243a31
SHA1 e4c53858a539935e898a1aee13ed26f8e4408537
SHA256 73821a105a9a91b8f8cbbca9d0f9da3614c1f8682dd6a7b65d2b3ae271e8dd8a
SHA512 2944684bce325ec4ae71a840f3297c813646b5ea9f12e3f7595265ec72513ec7fabe19f93758ddd28058aafe2c0a7410eb40bac42ae3fd367fd3a06d08de57ae

memory/4972-435-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-436-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-445-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-448-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-449-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-454-0x00000000006D0000-0x0000000000B87000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 2e79cc0e1d934da97b1d3bc1bd24a02f
SHA1 2655319bb07d115db212df870252d357c238abc8
SHA256 3e3274a909e82a7c8a1e6bc74f499e66e377e2ccb6be1c4080c34f22cedbb659
SHA512 676284a261bb023553ecfd5c3577025178ab715c48eeed75a835b104b0c7897a6d63bf399fe61c07d17432e0456c61f5dff6cb141cb37c36a9b0dfda3ae348dd

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 c3f2d871c44db34b7178a9cdf6d27523
SHA1 a830ff801cb580f6a127f5f3365eb30e505841d0
SHA256 cde52f925c4ec27c09311a169e93203edca7ae9f0e7610118dec2093e17d7876
SHA512 68b7b262483973bd82034603b3573dc4bf9b9a5ec03da7d67239a0f2fb92ed490310d606b9aad03afd982a25b1e10a16fc494057f6549d08d4379fb829a7c4a8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 70fa16b1a936442583cb45c086782187
SHA1 3db730d0aca3e860b0cc5463a5118bf5d570a526
SHA256 1fecd3ae88b111f5054eb5133f11261975ef936dc4566d804f6cfec029db7cc1
SHA512 0d84de40124d40170f3fec8b1e57cb245b05023e7de9b3f3529371dc0b20a3c667db02808110b6769531be98b3ae536be1423d327175699b510a1ecab55d162f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 3caa66e84182382f6c048bd44e3578cc
SHA1 c794b8edceef4ada60e55a2fb71b41305529af2a
SHA256 965f03a78b538ea4f90711c154edc4e5e11ce864789dce10729284f0a1d80a07
SHA512 9fe7992ea19f726bc1579004d3e21e50326e150f564d87f19f70e66d0167025d89cdc0cb622669a718958f5767c694ceff6b5862a8be37062e4b855849db4875

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 4379a4ac884553bd44c6299a93b14c35
SHA1 09279bbce601801290f91138b7112d993e4444d1
SHA256 b053f59843673744f8b80ce1e0e3b3d8e169dbb0bb83575269ce83da1dab7c15
SHA512 6ba71c6027d8f06543aea8b659821836f0919ac3c9adf2efe800338cc17c7dbb1dd22d967f4a463c621c2a922dc689ba60c6eb9e12895d48dfe3c0f05f7f36c7

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 1b148df9f75edf9e24d1e8786b95b935
SHA1 1f24ce6f2d4a86fe252597777d2c0c591bdf255f
SHA256 99f9ca5c7a53f01ab5693dd87cfff0e40ffb542f565b9d84225862e47e6a7683
SHA512 66bb07709ecd8565afaece6f389dc700f5b1f8a697de1ab711f5945e729c8df87395258071a08f9b61897f1d5d92365f77f47d36ddf00d70d36f9adfff04e636

memory/4972-909-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/2312-1346-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/2312-1379-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-1983-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-2565-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-2571-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-2575-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-2576-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-2577-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/5964-2579-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/5964-2580-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-2581-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-2582-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-2588-0x00000000006D0000-0x0000000000B87000-memory.dmp

memory/4972-2589-0x00000000006D0000-0x0000000000B87000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 07:33

Reported

2024-08-15 07:35

Platform

win11-20240802-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\e6301dcfdc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e6301dcfdc.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2968 set thread context of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1480 set thread context of 1552 N/A C:\Users\Admin\1000037002\1f852a278e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\1f852a278e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\3409f4d3ce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2764 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2764 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1872 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe
PID 1872 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe
PID 1872 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe
PID 2968 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1872 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\1f852a278e.exe
PID 1872 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\1f852a278e.exe
PID 1872 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\1f852a278e.exe
PID 1480 wrote to memory of 1552 N/A C:\Users\Admin\1000037002\1f852a278e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1480 wrote to memory of 1552 N/A C:\Users\Admin\1000037002\1f852a278e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1480 wrote to memory of 1552 N/A C:\Users\Admin\1000037002\1f852a278e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1480 wrote to memory of 1552 N/A C:\Users\Admin\1000037002\1f852a278e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1480 wrote to memory of 1552 N/A C:\Users\Admin\1000037002\1f852a278e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1480 wrote to memory of 1552 N/A C:\Users\Admin\1000037002\1f852a278e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1480 wrote to memory of 1552 N/A C:\Users\Admin\1000037002\1f852a278e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1480 wrote to memory of 1552 N/A C:\Users\Admin\1000037002\1f852a278e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1480 wrote to memory of 1552 N/A C:\Users\Admin\1000037002\1f852a278e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3612 wrote to memory of 756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3612 wrote to memory of 756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 756 wrote to memory of 4760 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 756 wrote to memory of 4760 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 756 wrote to memory of 4760 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 756 wrote to memory of 4760 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 756 wrote to memory of 4760 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 756 wrote to memory of 4760 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 756 wrote to memory of 4760 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 756 wrote to memory of 4760 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 756 wrote to memory of 4760 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 756 wrote to memory of 4760 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 756 wrote to memory of 4760 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4760 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe

"C:\Users\Admin\AppData\Local\Temp\6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\1f852a278e.exe

"C:\Users\Admin\1000037002\1f852a278e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1880 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea653c3f-04c2-4709-b3bd-f88604f956ae} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" gpu

C:\Users\Admin\AppData\Local\Temp\1000038001\3409f4d3ce.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\3409f4d3ce.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c33d286a-e6a0-41be-ace6-ffa6c2bf187d} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3204 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c0281bb-2695-4b52-83db-c4f3f3c42d5d} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4116 -childID 2 -isForBrowser -prefsHandle 4108 -prefMapHandle 4104 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05c5dd76-c72a-43e6-9b7a-997e360b93ec} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4292 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4148 -prefMapHandle 2756 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76e3bc5f-bd1b-4a61-8529-9dbad3f12718} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 3 -isForBrowser -prefsHandle 5444 -prefMapHandle 5436 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84ab2751-4cd3-4cde-a02e-5bd2f6409434} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90af4a7d-64a1-4821-ae7d-6f9aa0d77cd8} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -childID 5 -isForBrowser -prefsHandle 5784 -prefMapHandle 5788 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d61bf1c-cef9-423d-a8fc-adfb339a6e58} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6284 -childID 6 -isForBrowser -prefsHandle 6012 -prefMapHandle 6140 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6dcf360-4d97-485f-ad7a-8f31be6c292c} 4760 "\\.\pipe\gecko-crash-server-pipe.4760" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com udp
N/A 127.0.0.1:49898 tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com udp
N/A 127.0.0.1:49922 tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com tcp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/2764-0-0x0000000000E30000-0x00000000012E7000-memory.dmp

memory/2764-1-0x0000000077696000-0x0000000077698000-memory.dmp

memory/2764-2-0x0000000000E31000-0x0000000000E5F000-memory.dmp

memory/2764-3-0x0000000000E30000-0x00000000012E7000-memory.dmp

memory/2764-5-0x0000000000E30000-0x00000000012E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 5193ccd3d4b697e58c680bcd4954dd6e
SHA1 1faafc8d8f4ae43f14523d3d9ccab85c6e79af10
SHA256 6c8216e5b24ed838e4439e825505a6a714d46b5038204a086196433fec454189
SHA512 e2f53360c3e07cc56b140ffa616f4fd0e9f2e6a1df82d8f434db1ff4a0aa5d657edb8b1fb03704980fbad23b240e2196dd67c6000fd1ce8f1732783e86f19c4d

memory/1872-17-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/2764-16-0x0000000000E30000-0x00000000012E7000-memory.dmp

memory/1872-19-0x00000000008B1000-0x00000000008DF000-memory.dmp

memory/1872-20-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-21-0x00000000008B0000-0x0000000000D67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\e6301dcfdc.exe

MD5 a692e9aa849f2e4ef174116c2c7ff1f4
SHA1 c6a830449f364888bfdf84b93b50bd2091ceb195
SHA256 68418f2dfa408b5d47bd6dd209a2c51d86d946448cdd8533e01aaf663bd37d25
SHA512 0ff667c1371512f4794e97344c220bba2baa4cded3a4b6cd7d628e61f0c171fbca4b607df3c4f323e21c7329cf5bdc565ffa2a2c3bd9ae0a7bac706b7e24b335

memory/2968-40-0x000000007305E000-0x000000007305F000-memory.dmp

memory/2968-41-0x00000000001C0000-0x0000000000312000-memory.dmp

memory/3612-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3612-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3612-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\1f852a278e.exe

MD5 cce7286520fba2ea0ebcb5ded18c5ee7
SHA1 06879b8744cccd54fdd33dcb0c9309e60a416386
SHA256 99a73b9c1d55b09c417d4b106a761619e8733f04569665708dfd6b7c3b03061a
SHA512 f1b350449b3d6bb9f1b234868fd353cadc9a33fac368519589d3ccb24ab60ba1081fe92a363ebecafd49ad066003525cec292dfd6add3c8622bdbc4fa1c7658d

memory/1480-66-0x00000000003A0000-0x00000000003F8000-memory.dmp

memory/1552-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1552-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\3409f4d3ce.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/908-87-0x0000000000940000-0x0000000000B83000-memory.dmp

memory/908-93-0x0000000000940000-0x0000000000B83000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\42e63c76-a520-443e-8b8e-d377bc25b117

MD5 68f72a25d7807f806811421d2698b93b
SHA1 09a7e9058c86d0e9bdd10354201d755346fa870b
SHA256 7a1840d38d52ae7d681e007a33f8173a69471569c6b8b203c4f74c4f2cf1731e
SHA512 3cb9accdaf92d7a597d853beb8000ed373453584f15b3237f5e4ee32967e3319e7235b1bb5e928b0e6ae6416eaa1832bcb0a3f1048f9f79e4ee35395610a06fd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\aa6d3717-9e49-491b-880b-2df21624fc9d

MD5 3f9fe90a0c66dbbf905eeff290a1b6bf
SHA1 20397a8f177b1a62eb9d7a348f642a2583a1f53a
SHA256 038629f9677d35c5de2965bf91cd382990665502653e863f10fde63bc20727e8
SHA512 481d88eb971bd2c0e0c718b3444967a19d5eafd80908a21439996065615fb3d3580b79b021031b0ea8af2c5b9a7a7072caa8eaf2c84d30830b3961b85e1f8ea9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\1da8ec32-2e84-4c00-8840-57633e88c657

MD5 977f4d4ddb0727430f71ac9fda644f7b
SHA1 f5929ad1cf0f40694b0708e5e62cea4908ba4a92
SHA256 991ea9de19394dfb752bcf884e45f28b9b5192d9794816b541d9d7e77b3e43e6
SHA512 ef1e7e9e51c179e0996b75ce3143df9f4bddb2be248a46a20d454b5b0e8639248008742d42a975a9514b7db069e2c881a5041edc927778e1088b57ea69880b38

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 021492de67e5e8bd65d6f409b71fa56e
SHA1 bcc1e57243927dcc00505f4838000230278b07fd
SHA256 e78f03dc840efa3070f9d4ed76b38598298658422462e2a659997356b3ff12c4
SHA512 b19e62732353ef916e831f93d335b4df257c440c9b82bdc0b2724dfde771a5ec326f96862f5c52432f7e6e1ebe645ca9687b22c759450b22ef4e058666195b31

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\activity-stream.discovery_stream.json

MD5 f54ed9f30158afdfa55492d81d3e9138
SHA1 5ba5ef1b9b977ef8246ee3570ac569089d1d43bd
SHA256 eb8697199ceaaf0676c22de98fff59c26270b2db6d57fdd62c1bca15c0c01aed
SHA512 cf7586bcbc17dc827fecc6285a8c3765e3927b94b8b3dcce270a3cd86ccfe2368f9744c77b2ad54cace0f071898930f8296bc7a2bb6792c3fc97dd8e424b9c07

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

MD5 ddd967434d6549050910b1e396a4669b
SHA1 e0fb032b40877d4c7e096bc5b8a1041bdefd75d8
SHA256 0dac4c26173518fc2bee95960a2357517b4500ac02e05b89d8b91485ba078c1e
SHA512 e233ba93449ea482710622bae59e809f1e04bdeaeef1b7b7debfca2d5b3b15250f1088d888a12176a99474909101a6fcafe704f59de1335491682502c3ae53c9

memory/1872-409-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-423-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-424-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-435-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-436-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-441-0x00000000008B0000-0x0000000000D67000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 e75f84ce683d5808980dfee5aaff3e31
SHA1 ea8e5da8aa7789300c9d6ca37f460e127ad23dda
SHA256 84aad4d2da53f8a054ec3147cd4750f1e4346a60a1aeb1db32c0fe81697d1cbb
SHA512 775278a3537d2ee1bc45dc4ceee530062953b3d80e433f013b8d98fd10e9c94800f1e14a8a875f22c1b4217a7981672cbe65209fa93c8afc80fa776ba02ddb67

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 a1c40b4413e966c7f751f7b1f75f414d
SHA1 1accc332755e3bb46dc2406c3c2d6f15874e48b5
SHA256 3ebe5058ac0564dc2f9b74681e0d09171389d436629b2c1119d3c037c4b1e2a3
SHA512 2abf761412cad714d4d08addf8e8af14b7c783c5f9c1269bfd641aa495434335350d44a611b7360059cb5cdf0db17dd2b8a85435c07a4deaaa04f97df2206013

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

MD5 9cbfa875d46bb03eb05798097c589657
SHA1 b5cb68a11ea2b8fcbe69912dbc3bd068e3ed69dc
SHA256 7b23ca38af1864e299422edac8e9dca2e4e2e27281b5c74662c1a15f5baf6c44
SHA512 3ae907b3b380c0732c65560d7a13f5e05b0f261418f1cab728ea746917b9994a9cea0ad0a7106884c438821a37ba19ce0170a4c045a8d0f7602556989b12ae82

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 e53ee446894b99636622e096ce842cfa
SHA1 8d4b606b63698de759a3ae1e4de75283b6ec8321
SHA256 cf36d8acfe236daef7c5557c9ec50871dac14020422e5a0d657a56cf2c740264
SHA512 91b6e2160aaaec17aa3b6150990d203d8af9ef45eee08e6cb56305c4ee9a5ae82d7d9ddea71dbde8a370418413571600d03090a731b52f2656825e6c42ec3aa1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

MD5 2f4f28ff3094069c7984d673565fad10
SHA1 9c4d0c373de99607d4e36a6630c1dccf143bb856
SHA256 fac60cabb62e658c549bb9421c4bcc83baf6d31342de24fe5df3267be5d4f61b
SHA512 0ce7960f71e774feead3b1fc207b1b70a16356befdfba1d4c9b9963f283262dceb7b58f4ab87b9a421d9436095fcd4c347c688547219c950ba06f0a72cd6df1b

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

MD5 816043397734e69c6a641f142c7ae289
SHA1 bacb4ab7c1a78565dd5153861067634131b0340b
SHA256 66412697266534c21b1382962cad8f3a2235aab78986a2f438aeabc5ac996669
SHA512 8b6fbcf5dc7517d0d926b50a2ff3c2f68730cc7554bed1d45b90d0f9775b6baf376d609f420217f5af10141fd35d229260da4cbc8222af64db39601a8f94ef1b

memory/1872-1000-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1028-1244-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1028-1278-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-2112-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-2576-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-2582-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-2586-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-2587-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-2588-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/5220-2590-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/5220-2592-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-2593-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-2594-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-2600-0x00000000008B0000-0x0000000000D67000-memory.dmp

memory/1872-2602-0x00000000008B0000-0x0000000000D67000-memory.dmp