Malware Analysis Report

2024-10-18 23:43

Sample ID 240812-g1fnbatamh
Target 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab
SHA256 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab

Threat Level: Known bad

The file 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies registry class

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 06:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 06:16

Reported

2024-08-12 06:18

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\932baf1258.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\932baf1258.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4872 set thread context of 3264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 set thread context of 3636 N/A C:\Users\Admin\1000037002\b5e47d0d6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\6612447c8f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\b5e47d0d6d.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1088 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1088 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1088 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2944 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe
PID 2944 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe
PID 2944 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe
PID 4872 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2944 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b5e47d0d6d.exe
PID 2944 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b5e47d0d6d.exe
PID 2944 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b5e47d0d6d.exe
PID 3660 wrote to memory of 3636 N/A C:\Users\Admin\1000037002\b5e47d0d6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 3636 N/A C:\Users\Admin\1000037002\b5e47d0d6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 3636 N/A C:\Users\Admin\1000037002\b5e47d0d6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 3636 N/A C:\Users\Admin\1000037002\b5e47d0d6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 3636 N/A C:\Users\Admin\1000037002\b5e47d0d6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 3636 N/A C:\Users\Admin\1000037002\b5e47d0d6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 3636 N/A C:\Users\Admin\1000037002\b5e47d0d6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 3636 N/A C:\Users\Admin\1000037002\b5e47d0d6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 3636 N/A C:\Users\Admin\1000037002\b5e47d0d6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3264 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3264 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 2696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 2696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 2696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 2696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 2696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 2696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 2696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 2696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 2696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 2696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 2696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2696 wrote to memory of 2160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe

"C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\b5e47d0d6d.exe

"C:\Users\Admin\1000037002\b5e47d0d6d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1792 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb1dc20e-1ca4-4fd3-bdec-d73b7b585d78} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {041fc072-0cf1-4ed4-b6b7-133e44c45fd4} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1476 -childID 1 -isForBrowser -prefsHandle 3256 -prefMapHandle 3160 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b76077f7-19b5-4a96-af81-3e4afd5ef926} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3700 -childID 2 -isForBrowser -prefsHandle 3316 -prefMapHandle 3252 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7300565-5987-48eb-82b2-54fafd3f308a} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4520 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4512 -prefMapHandle 4508 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b211136-c42f-4a43-8926-ef39a4ba8636} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" utility

C:\Users\Admin\AppData\Local\Temp\1000038001\6612447c8f.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\6612447c8f.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 3 -isForBrowser -prefsHandle 5548 -prefMapHandle 5544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d72064cb-b222-42ea-b647-a0e9d637be6c} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5420 -prefMapHandle 5044 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31c638dc-ef57-4094-9d49-80990fd16383} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5596 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51b1165c-2f29-4d9c-a654-be2c0ca5a7dc} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6368 -childID 6 -isForBrowser -prefsHandle 6328 -prefMapHandle 6332 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96bb004a-c15d-4e82-b8b6-068765411f89} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:55730 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 205.86.155.35.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
N/A 127.0.0.1:55739 tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 38.132.217.172.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/1088-0-0x00000000002D0000-0x000000000078A000-memory.dmp

memory/1088-1-0x0000000077374000-0x0000000077376000-memory.dmp

memory/1088-2-0x00000000002D1000-0x00000000002FF000-memory.dmp

memory/1088-3-0x00000000002D0000-0x000000000078A000-memory.dmp

memory/1088-4-0x00000000002D0000-0x000000000078A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 b34e3f1eba1a4c3c26104128f3df2e94
SHA1 e1e8b98be081cf73205e90c5fef03d7d19611590
SHA256 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab
SHA512 dddf13d6bddf77ec846fe3e91296d28865e723b84f7331f333c4ccdba5372b4f5e2f6521d27e2d8381a4ea3bda7fa5516b70222b99b6ed7594428d8b3a470e76

memory/1088-17-0x00000000002D0000-0x000000000078A000-memory.dmp

memory/2944-18-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2944-19-0x0000000000F71000-0x0000000000F9F000-memory.dmp

memory/2944-20-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2944-21-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2944-22-0x0000000000F70000-0x000000000142A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\932baf1258.exe

MD5 2cf4fe66d4e93a2aa66cfffdf7b9d55c
SHA1 c94b44c29812518331d7981984b45d35af5bb77b
SHA256 5e53e477950bf652646e1faeee7507c6db804d3d0dd19046f0832f7d778af835
SHA512 bf86555ad8838deb7c94bacd2d0ac41d5af5ea1693ed31f515e7ef73b4e258e78ed92653cd216b01009b64abc1811e9f7a903b6d24d0827de60d4623dbf4ed73

memory/2944-38-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/4872-42-0x0000000072F8E000-0x0000000072F8F000-memory.dmp

memory/4872-43-0x0000000000B80000-0x0000000000CB0000-memory.dmp

memory/3264-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3264-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3264-49-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\b5e47d0d6d.exe

MD5 f936e41f331f3bcfa5479fc12569dfa0
SHA1 0fbf4b66a04ac0c756b85e79df9aff371a0e46be
SHA256 c607af07435b71602537fbe78096da145867130ab1dd1e33f0c3a4bda2524217
SHA512 2d21e55033462c4330fd42c52664d8cf6a01c4421a046a2ef37451024e76844b81e3fc4be7b22d5541079d7b0922ee8c24970ccc2e0bdc50bd5c4dd742fd6d50

memory/3660-68-0x0000000000C00000-0x0000000000C38000-memory.dmp

memory/3636-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3636-72-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\e0b806c7-5bb8-47f3-8d40-1bfce8262526

MD5 efc2ef733b62fd0532906bed3964465f
SHA1 42f42be3b76aa87c051182fbf181441c8a0848e7
SHA256 3f85db1f1c29a3919c7bfe234a804b9de6d07635736cebb5a6dd5bdf974221cf
SHA512 49f1c3ab49f04423d29c8bccad26e8002a96c7e9bb1839140d9452e6dbb96abaec7b5e880cb350df338a7c0c780402a50a593ba5c5eb53bbafe06453c9db8306

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\2baa8ef8-94b8-481c-b78f-9c7ed64f917f

MD5 2a2fd16826e40d64bc8cf6b3f7aa98a5
SHA1 08f7d7a40daaff4f16f5617bce9c6bd0924312c3
SHA256 312d6c4caa65b0da681c8f2709d77a49be99629d1d2788ed73a2a09d5f963f89
SHA512 b5fe2313efc4ad5133c2db0881eba91d791b6585c829f40b093c54eeb1cd1d200a334063ba1ea1575d4c969fb57e71e38df69ff192fa2dd83b266179eebc6f71

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\a0ca079d-ac41-42f8-857e-cd16370226f1

MD5 2464ace660d2d6a90d569d4049f79632
SHA1 90822031963d3d8679a219b57874dafb0f0b3799
SHA256 bd233b01a116dbd4ab246549f2727ca40f7d7f6f5d578fa5b1d59874c9d29a09
SHA512 438b478b39fde3907a2274483a27e0fc05288dd3a34bab128fcabf77676228568aec2c22d7cf99e0cfbf165a23cd69304521b29402429f9c07620072468ccf20

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 524901f1946e68f0dd61d446388d4ed5
SHA1 ddfec1500ca3a8f602ea6a4302580a56432f3991
SHA256 4c6ca20d348956840fa2d86688435daff195b5c75865a218c0d6894582a79190
SHA512 cde125e073608bf529eacef18bd357870190b61f5011197dd8251db6e5b532de08557ef162b00eb8f307f78898750c2e111c910f571fc2cf068cf3a0df8c745e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json

MD5 5f624a740e2578f5ff8f81e9b8f5d5d5
SHA1 45dc0f40a4771c598538fb8e643dbd5e534657de
SHA256 534ae1497b0aff8c42591a68c68655379a3e52ab4465c84e92714401e62c9a80
SHA512 ac6acf30300cf49b1fe0e309cc36b0d436a381cf58daf05aed28b0b6ae9e9bebe2b5f6ad6d88ef47332fc500471ebd510705058376ab01148dac5810349cc55f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

MD5 ad0e022ad6ba3ebfbc00d07f0a9c3128
SHA1 ce274907ae4636e1435d60d38f11fb64fc9d002e
SHA256 599f106d0de476239e1e21d9092d77001071fc605f4cad6378f1ed32a16b1c52
SHA512 0725bd3a6094b52a113c73f69507e3f760b08c546689ef00af1192763151f1b0da1e2f4cae8f7540bfa3969c83763d1dc099aa298a6b357abaaf973256057760

memory/2944-354-0x0000000000F70000-0x000000000142A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 36e8b8f12fdd95d693e2ae4002984d6f
SHA1 f3cff6c4f8e5233c97d7fc7d010e6a888481255d
SHA256 fbd5b26b901bae1712cfa57f44357c13cbf8f76eb6fb76a2c32a4ec791ab8a28
SHA512 d6b918bfe786c08990cbda12ce49c80d70118a5b04792c5d859acd85866b415b3ad6196158182177421ab2e8058cbadaa8dcb8261e8456e81abe7281d309f67c

C:\Users\Admin\AppData\Local\Temp\1000038001\6612447c8f.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2944-374-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2468-377-0x0000000000590000-0x00000000007D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 14ae2b32897950492f8b17186401881e
SHA1 348f3fdf158529aceb909d5cc57ad0a25cc137dd
SHA256 2cfa42ead3d1ef00072a83be11ddf23b35eb4b92981cda75ecd6c9c35a9fd295
SHA512 175432c3874743b3ebc95e36aa201db454800f1b0326aed49e72be0be9ae6a0d6cccd6cf800154f8cf65effea279f24fbe15a0a45eb8d16f209304f34966d0b8

memory/2944-433-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2944-445-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2944-446-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2468-447-0x0000000000590000-0x00000000007D3000-memory.dmp

memory/2944-458-0x0000000000F70000-0x000000000142A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 da72355134417c6f46cd75aa9f0c79a6
SHA1 380a3204446f5c0177c67934c8161343857a4ae3
SHA256 ec7082221b42398c4310acfaff34e62ce01fc195e15af837cebadf42d3a3d973
SHA512 ff71a42d2630cc71a8d887b1c92a010189af8ea760c60bb10e0f4f3952ef04e92a7678df4df48dd6989eb3b476594b10d00f182d16a6588ddbf9ce615be696f1

memory/2944-481-0x0000000000F70000-0x000000000142A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 9cef77bdb452024343c21dc50685763b
SHA1 8e2debf848b0c2fbc58dbfcd2b3b1aae7661936b
SHA256 0e14720cd683b00c5140facef81e9212090f14296c334097f8d9caad077283b2
SHA512 6c666942a1c77ec7a453416605685e9b2283a3c40bcffa38cbc76220ab5af9f14b00f5e63c8c52083368563b2ec2873eb8c282d2be8a8e1e86e2a845b3361368

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 38bf05ead9edad097fbc3a93af5cb01e
SHA1 9f3b8b980472b6c86265200d772e37cda0117d4a
SHA256 fa81a0bfd22fe365c5ec155054f7bdc4711a244c8453bdf498c2cb2e1c8d4d6e
SHA512 6d6b9b77172827170a602a2ad89a2196e3bd10ef91e18e9dd0fb070b4892da8a3dd9d250012c2c2522c8732f0d3ebc6db94d086b15f216af73e99f23969de3a0

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 8afd8541067bb2f6d3824fcc49ed0c5f
SHA1 b2172f68349c0956c020f623ae20fda398380f72
SHA256 34b88e759d9e873989b84f1a7b5485a9419751f42ca4f46bf08463d92155b86e
SHA512 f43edf496d1a19ae07c0997935865ecbf05a9df946ea611f4c1d245fc728234b913c31c2562265827a0610ea12f28b4e23d9778141e1fe07f5292b7cbe95531a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 57c9a00cc0faa63c53b34d64b9cb3d72
SHA1 7983195faaa80510dfc38de1a43bab54316ffffc
SHA256 652a38eb6abd6a31bb712db9db7ae229a0f2da2aaf28c825ddda1ee7325c8c2e
SHA512 ed81941b01b54ebcb19fadc44590dd544ae050b389941698642b930dc0cefe2e9be1d904038f141fd0e03eb7630d0e757e1162a4224172419358ef252fa14e59

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 7ada35fe796574074fd6271417f3bffc
SHA1 b8592fc2be2909f0e068ec1c7eea39576aa4a265
SHA256 1f55eb3939c52aa8849f743da469b816f643cebf86906d89c773fcd56fbad3a1
SHA512 415f49478360278a65cd4429b658d2ddfa319480777280d2846731b85bd9332230615c02ae979bedf63e278e9c406e7935090f75d4aed0bc0fc2cdf2ebfc15c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 6084632116cbab7181e591fb695d8fc1
SHA1 6fe6de8932d9a4288a6de8c39302f7149d5a9e0f
SHA256 cbf234e5116b798d9cacbf4b240eb7f4ab61832a2e7cd9523dda7704c4bb00c3
SHA512 797b376d9eaab5192eaf34367297d057b71815767bf8e1c02a50c9d5c1b9f777a3373518fd238b6f1cab862a84963a67f43131ba9f4b5c02ded3b809d52747b4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4

MD5 3bae7052e94705cfa0214625785f2515
SHA1 e115e02d01b5bcaa6434ef8ed4d3dfe3bbe7b258
SHA256 ee37644618433d3e55080fbe5696db73d44f6716248cdb451fc7811cf1cbcc4e
SHA512 32610302e2215e7884e19eef4de1eb0ace5c12a786dd5fda9d9cef52c833b554281c467086076c631af3601ab336d4f7cc5cf8c0bea77d6feb0b63647040b751

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 f44dbafb337930c2b6f32088f5ea0bc5
SHA1 ccbeaaf4615323f1abe6ec2fdd93c71c6f843979
SHA256 74e63004e9267c349f1b43974bdf94bd080b2dafa1fe1fbf4350ebc5aec42aaf
SHA512 172d2c986375791381c7f871f14a009abd63b9fc553cfb793d16d8e1b60a4cc0b774e56270b0ff0e60f12519d3f2d870139373bf8979fea756a2c070ad69271f

memory/2944-806-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/5852-880-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/5852-900-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2944-1251-0x0000000000F70000-0x000000000142A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2944-1643-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2944-2163-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2944-2848-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2944-2852-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2944-2853-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/1692-2855-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/1692-2856-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2944-2857-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2944-2858-0x0000000000F70000-0x000000000142A000-memory.dmp

memory/2944-2865-0x0000000000F70000-0x000000000142A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 06:16

Reported

2024-08-12 06:18

Platform

win11-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\01630fd316.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\01630fd316.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3152 set thread context of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 set thread context of 1116 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\76dd4c8052.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\2b77e4b2a5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4916 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4916 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4916 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3484 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe
PID 3484 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe
PID 3484 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe
PID 3152 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3484 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\76dd4c8052.exe
PID 3484 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\76dd4c8052.exe
PID 3484 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\76dd4c8052.exe
PID 1028 wrote to memory of 4580 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 4580 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 4580 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 3960 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 3960 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 3960 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 1568 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 1568 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 1568 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 1116 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 1116 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 1116 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 1116 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 1116 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 1116 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 1116 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 1116 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1028 wrote to memory of 1116 N/A C:\Users\Admin\1000037002\76dd4c8052.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1800 wrote to memory of 3496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1800 wrote to memory of 3496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2032 wrote to memory of 3516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2032 wrote to memory of 3516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2032 wrote to memory of 3516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2032 wrote to memory of 3516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2032 wrote to memory of 3516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2032 wrote to memory of 3516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2032 wrote to memory of 3516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2032 wrote to memory of 3516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2032 wrote to memory of 3516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2032 wrote to memory of 3516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2032 wrote to memory of 3516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe

"C:\Users\Admin\AppData\Local\Temp\3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\76dd4c8052.exe

"C:\Users\Admin\1000037002\76dd4c8052.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1860 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6cd32f6-1ffa-4cd0-a642-93d73ba4a93f} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {196b54e8-eeac-4820-920b-c9024b75e131} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3276 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e35575b3-f605-40ae-a364-603b9525dba9} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3944 -childID 2 -isForBrowser -prefsHandle 3936 -prefMapHandle 2940 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bce0595-a402-404b-b429-54b47ae83276} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4572 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4612 -prefMapHandle 4608 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81240042-c327-4e4d-9829-9ddbe9ccdbe4} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 3 -isForBrowser -prefsHandle 5316 -prefMapHandle 5312 -prefsLen 27025 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b469d50-304b-42b1-b4cf-d17f5f868050} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 4 -isForBrowser -prefsHandle 5528 -prefMapHandle 5524 -prefsLen 27025 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {430c2be4-4d42-4bb6-94a2-18a31f643e74} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5644 -prefsLen 27025 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7112f7d3-3802-4f25-9c8f-b7d8ef6e1eb7} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" tab

C:\Users\Admin\AppData\Local\Temp\1000038001\2b77e4b2a5.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\2b77e4b2a5.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6216 -childID 6 -isForBrowser -prefsHandle 6200 -prefMapHandle 6204 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb4958cb-4929-4a71-a40b-de7bd10a7d00} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 200.110.239.44.in-addr.arpa udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
N/A 127.0.0.1:49827 tcp
N/A 127.0.0.1:49834 tcp
NL 142.250.179.174:443 www3.l.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/4916-0-0x0000000000DD0000-0x000000000128A000-memory.dmp

memory/4916-1-0x00000000774A6000-0x00000000774A8000-memory.dmp

memory/4916-2-0x0000000000DD1000-0x0000000000DFF000-memory.dmp

memory/4916-3-0x0000000000DD0000-0x000000000128A000-memory.dmp

memory/4916-4-0x0000000000DD0000-0x000000000128A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 b34e3f1eba1a4c3c26104128f3df2e94
SHA1 e1e8b98be081cf73205e90c5fef03d7d19611590
SHA256 3e06ac28cc33b0c2d8143ba7abb6c8734355ca431c8ba0e67ed444a1a2d717ab
SHA512 dddf13d6bddf77ec846fe3e91296d28865e723b84f7331f333c4ccdba5372b4f5e2f6521d27e2d8381a4ea3bda7fa5516b70222b99b6ed7594428d8b3a470e76

memory/3484-18-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/4916-17-0x0000000000DD0000-0x000000000128A000-memory.dmp

memory/3484-19-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-20-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-21-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-22-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-23-0x0000000000BD0000-0x000000000108A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\01630fd316.exe

MD5 2cf4fe66d4e93a2aa66cfffdf7b9d55c
SHA1 c94b44c29812518331d7981984b45d35af5bb77b
SHA256 5e53e477950bf652646e1faeee7507c6db804d3d0dd19046f0832f7d778af835
SHA512 bf86555ad8838deb7c94bacd2d0ac41d5af5ea1693ed31f515e7ef73b4e258e78ed92653cd216b01009b64abc1811e9f7a903b6d24d0827de60d4623dbf4ed73

memory/3152-42-0x0000000072E6E000-0x0000000072E6F000-memory.dmp

memory/3152-43-0x00000000002E0000-0x0000000000410000-memory.dmp

memory/1800-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1800-49-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1800-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\76dd4c8052.exe

MD5 f936e41f331f3bcfa5479fc12569dfa0
SHA1 0fbf4b66a04ac0c756b85e79df9aff371a0e46be
SHA256 c607af07435b71602537fbe78096da145867130ab1dd1e33f0c3a4bda2524217
SHA512 2d21e55033462c4330fd42c52664d8cf6a01c4421a046a2ef37451024e76844b81e3fc4be7b22d5541079d7b0922ee8c24970ccc2e0bdc50bd5c4dd742fd6d50

memory/1028-68-0x0000000000DD0000-0x0000000000E08000-memory.dmp

memory/1116-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1116-72-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\98d097ed-6683-46c8-926c-159096085ef6

MD5 139dedd3a313489a7703c84ca1429c64
SHA1 610175c8f391849f86ef6e433cbf7ac25444b3d7
SHA256 8a38b98e422b2a53a35457443f78bc62fb5d78329f2eb4662acbc8b48d60478a
SHA512 08c2585ba30c3126deab53d1c929b749d787ade65583d8123b16ccc54c3c539e9a4eeb0df95c8426d99ea6ff23caa422a91baad6664a1b34b8c1f64630b2d9b4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 3122bf88981f45169b9c285b42e21f36
SHA1 72e26370625effd20f28606d85587ef12a36ebab
SHA256 000556b3b923fd3fc726ec09a79a989744063a87d858058cc2c9178b4074e5a9
SHA512 216d21c25b70048131477cf577a02453a4ef51a7a50887928046f74559232bdf251d4a7e71409994d751edd0661fb4651c49a34f5b4307c070e21ac14fe6be14

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\6b9d5982-b399-43ff-bcca-da178f4edc22

MD5 4d5553ce3d9da52f03d99473e66c3bce
SHA1 bb4d5e0e98f406b4b78f640d8cbba58ffbbcba68
SHA256 1d7d10d1eb2f7862ada4e852b1e4a8c8b6d4a7dad806807392f70148872d627a
SHA512 bffa7a7ac05ac87dce8e36d6110aa7e7d0db1279a50b124392a97eb8eabc69184c54d08ef825338f342b0e675578fe2543df21161c8bde0629b073b1c917a7f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\0076e695-cd2a-481a-a8e8-cf026ad944d7

MD5 b9528ddd51b1f310ef6b8105e3edc38c
SHA1 bd7c3b364b98f9239fa4d900d7d4d3c25a61ff22
SHA256 d403cc4279e510277657fc0214c894331a092bdf5012649678498c89440c8a24
SHA512 f35274fc7c0f43e5a914af484cdbd32974dd84d5929493a24c422dabdbc9fac64a41de2b516d26abfebd85972d6a7ee72a0fc4e71a4a5a4627bd0459e721de54

C:\Users\Admin\AppData\Local\Temp\1000038001\2b77e4b2a5.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/5096-326-0x00000000004C0000-0x0000000000703000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json

MD5 4b84d69607cac35100513a634c3a3b81
SHA1 283671385ec5b44c466c9a7bf528c85fd9f02ae1
SHA256 b69fccb43d9527ab9adfba650e883b1d5ab76303add320dda78b77b08b4636df
SHA512 a721e25bfdaee089a2133b0c9a00c6218d75bff5e733dd43a8927c87390c41e41543ec255234461fd3152194d28a61d488e452df452fa34349a93f970371ea48

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

MD5 0670192e4807db011b9d0ab53561dfcf
SHA1 7564a4036813e4b1fde4d00be18f615301810e48
SHA256 72aaf2baf8b50d952d2d5c70795428d88efa6546005ee41aa2e29b7489f4c2a1
SHA512 9c3d1d802d79b82cd6b0e2574a628b35ce7b36dc0540c0a4dca0d758f2288f890cfb7e1f19940069d13ef37b8ffe2fba3ea64d2abe51052d641349d99485bdca

memory/5096-363-0x00000000004C0000-0x0000000000703000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

MD5 5f74ba46cbd4c8b89a86e92bcb5eca15
SHA1 b9f93d61869f641aeb11e547e60da8a558d0d1f0
SHA256 e0de6b67fa91da0333f3e5eee1546e0cfa35d75f57abbb55345ec699ae2a2242
SHA512 0b05f2081b8bf26ba9cb2ae50955d7a24ceeca4962e8fdf873f349c49b02297e9599859cafdac138653d7f8c06afa5a2910d41e8ba5e74c08478522195e81270

memory/3484-382-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-383-0x0000000000BD0000-0x000000000108A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

MD5 2d3c1edcbd79efa29cd634e233eaf0ce
SHA1 aa4f5137065b7d751eb7de1e2139cd90e5fb6d43
SHA256 f839d6c1c285761931cc45704fc815356cf186292c218c420e5c1d3482d965c8
SHA512 4594e4ee365a77c7d522b85c39ed463b928024129495c9dd844695c327027c2e34507c05c1a65e08d80827d2b2cf50567020666109027e85e6c3bf10c940c02f

memory/3484-444-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-459-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-464-0x0000000000BD0000-0x000000000108A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 b26f79b2ec3e51030aad0e81e8082546
SHA1 bff3095a68d778530a8f7bb5de242c0175a623cc
SHA256 a6bf1d8558ead5f54476899f44ee037a35efc62e26cb1ab1b915d0f1e6a6dfca
SHA512 419ed175f1306b17e89291c44823b890a5389eca1f098c9298e3d43adb8bdc249f1b1a21fed1950c4a7581de0b8b7ddee33b546362c23377e501169872255bf0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

MD5 f462e33be570c408c19a2d8af0fc0978
SHA1 110bfd03674243734b1699089c05bd2e43ea738b
SHA256 a006092fe755350a1cf7b5e0dd09e2d4c878ade563941c71c870528156559f69
SHA512 a5851332dbbfc17157778ba94f4f6cafcea1b47363fa04d1a6d96d5393be3af68bd2d68d7902de91eca36d6c966dfb8170eca061ece031d59000c4f1c3afd4f7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 9bc99886217c8014a3c12fabdd64de2a
SHA1 e4d14e8a89081c19bacf37f48e88689bd17d830d
SHA256 fdcc72f7d8889db81aaf4088bd1b2b174cb0b9f4279a488081c28f978a2b04c5
SHA512 21586bf7de070e63975fc977daa14d68c0093e687516456c48f8f781cbe0a6da24ffc040c82b983d81ac03e61f9a93423f8c08a5d5ffe84494a8e7331d931a68

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

MD5 ed082fb0cfac79916934cf1f09109a44
SHA1 68a72d84fed563f03adf229febe3407a05fc50f3
SHA256 ae38ecadb5a610baebc173ed36d85d9251004b47e9778b141da8bb94f8ae0e8c
SHA512 74c7606aa42017c00fbdcfc60be211d10fe8a8c93542ff75f44a3d47139d33549f2550e7691a832df26124a72979db36dc218d1c6d200bc3e17d4654a6f94e02

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 45aad0dcc000cf050645e0051af8f604
SHA1 cdc2673f587af4bb20fda0d65b8db13f8e2bd799
SHA256 f57e3be6c75a3bad4fbaa4797ac93658ea0734001ebc1a84eb2c29e8c19459a9
SHA512 94f9a3380c0d578419a89793095e48cc3ee72590244b75b2c77ac1e3cee571410455886e0fc873320d8cef18304a9da353d3cd8f22126ad944696659b3476676

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 d3c022c085ef8b9509ccabfc3ecf196d
SHA1 46487089deedec13e9f490f245b82ae346d5e7b2
SHA256 78e0bf02c5d527462e9a109e81981fbd039d78e5a43e0fd9c89dea237fed7e38
SHA512 7cf6c3b2afbe129339452cb187a754a8fef4d010ac9fb5bb3a99335195911e28a04ad5ba212d7b62872b87c27a5505851264eb08d93933bc365f433a7e16f04b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

MD5 41f755d03838d73b0b6bd384419e5de9
SHA1 7bf3c5655694897ced14fd848d819f007d6dde69
SHA256 37cbf983a583e2affa7a444588758b128138c6037c879412adc0ec32bcecae40
SHA512 34352a90d7e013db239e8f4d01c5301813dd17f6b96e453ef95153ecfd8c4a46935282131c626f5b903e1c882a53bc53367ad09f4d8c219818f8fcec719ebe6f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4

MD5 b0da08b4b02530429dec82788ef07b21
SHA1 2d6012846674f295e9a89c0c0baa50d01bc5b1c3
SHA256 efff9f547104f946ea8c5d9594ce43d771fb197429324f0b0879957705cffede
SHA512 f898b16d0d213576161f62bd5c56d533dfbc6d0488cb049cfbe7434904552d3d3297010cb2f89dcc1d4100323100eed4b8dc2c766ef5a83e3757bf1a62e66271

memory/3484-789-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/4068-911-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/4068-927-0x0000000000BD0000-0x000000000108A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3484-1332-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-1870-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-2736-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-2742-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-2745-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-2746-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/5924-2748-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/5924-2749-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-2750-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-2751-0x0000000000BD0000-0x000000000108A000-memory.dmp

memory/3484-2757-0x0000000000BD0000-0x000000000108A000-memory.dmp