Malware Analysis Report

2024-10-18 23:42

Sample ID 240812-mdx7qs1bqe
Target 2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510
SHA256 2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510

Threat Level: Known bad

The file 2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan spyware

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Unsecured Credentials: Credentials In Files

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Identifies Wine through registry keys

Reads data files stored by FTP clients

Checks BIOS information in registry

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 10:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 10:21

Reported

2024-08-12 10:24

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4dde3e6fff.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\4dde3e6fff.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3432 set thread context of 3776 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 set thread context of 2716 N/A C:\Users\Admin\1000037002\c861ede2eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\7443a7e688.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\c861ede2eb.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 712 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 712 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 712 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5084 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe
PID 5084 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe
PID 5084 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe
PID 3432 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3432 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3432 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3432 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3432 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3432 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3432 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3432 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3432 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3432 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3432 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3432 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3432 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5084 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c861ede2eb.exe
PID 5084 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c861ede2eb.exe
PID 5084 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c861ede2eb.exe
PID 3716 wrote to memory of 2716 N/A C:\Users\Admin\1000037002\c861ede2eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 2716 N/A C:\Users\Admin\1000037002\c861ede2eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 2716 N/A C:\Users\Admin\1000037002\c861ede2eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 2716 N/A C:\Users\Admin\1000037002\c861ede2eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 2716 N/A C:\Users\Admin\1000037002\c861ede2eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 2716 N/A C:\Users\Admin\1000037002\c861ede2eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 2716 N/A C:\Users\Admin\1000037002\c861ede2eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 2716 N/A C:\Users\Admin\1000037002\c861ede2eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 2716 N/A C:\Users\Admin\1000037002\c861ede2eb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5084 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\7443a7e688.exe
PID 5084 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\7443a7e688.exe
PID 5084 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\7443a7e688.exe
PID 3776 wrote to memory of 4912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3776 wrote to memory of 4912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 2496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 2496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 2496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 2496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 2496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 2496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 2496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 2496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 2496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 2496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4912 wrote to memory of 2496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe

"C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\c861ede2eb.exe

"C:\Users\Admin\1000037002\c861ede2eb.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\7443a7e688.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\7443a7e688.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b54f575-1201-411b-9461-cda26e7bbce8} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2444 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27b50145-2fcc-4790-ad1a-c6a30b4635ae} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3268 -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 2972 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1076 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e6b501a-a10b-48ef-88f2-81902757bb10} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4100 -childID 2 -isForBrowser -prefsHandle 4028 -prefMapHandle 3972 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1076 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {397ace17-646a-4d91-b450-5e0b5ba4636a} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4716 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4692 -prefMapHandle 4672 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fc489fa-7201-41f0-ae7c-33a0c2739808} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 3 -isForBrowser -prefsHandle 5080 -prefMapHandle 5248 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1076 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef207620-156b-4808-8b29-97bce48bf716} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5500 -prefMapHandle 5496 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1076 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a457740-59a0-4350-a3ff-0d426ab7d0c8} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 5 -isForBrowser -prefsHandle 5668 -prefMapHandle 5672 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1076 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {720683c4-ea5a-4fe3-b659-b5e6f9b1c452} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6256 -childID 6 -isForBrowser -prefsHandle 6236 -prefMapHandle 6252 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1076 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e64f4efe-0291-40c7-bcc6-f79d8402e263} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:53661 tcp
N/A 127.0.0.1:53670 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 200.110.239.44.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.youtube.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-5hnednss.gvt1.com udp
NL 172.217.132.201:443 r4---sn-5hnednss.gvt1.com tcp
US 8.8.8.8:53 r4.sn-5hnednss.gvt1.com udp
US 8.8.8.8:53 r4.sn-5hnednss.gvt1.com udp
NL 172.217.132.201:443 r4.sn-5hnednss.gvt1.com udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.132.217.172.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/712-0-0x0000000000C10000-0x00000000010B6000-memory.dmp

memory/712-1-0x0000000077D64000-0x0000000077D66000-memory.dmp

memory/712-2-0x0000000000C11000-0x0000000000C3F000-memory.dmp

memory/712-3-0x0000000000C10000-0x00000000010B6000-memory.dmp

memory/712-4-0x0000000000C10000-0x00000000010B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 c9fa55d8572cf366bdfa9013244a191e
SHA1 94289da9815d1d2f4fe372a5f3295c23e13009f6
SHA256 2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510
SHA512 156bc7fcbf891341759fcc463045c4a6ca52d1aa9c5cd8c5b89f7a6f471f044ca54d0ab23dc4e85cb031a3ca4ec4488651b14843a79e714e4af87427f8d55215

memory/5084-18-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/712-17-0x0000000000C10000-0x00000000010B6000-memory.dmp

memory/5084-20-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-19-0x00000000006B1000-0x00000000006DF000-memory.dmp

memory/5084-21-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-22-0x00000000006B0000-0x0000000000B56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\4dde3e6fff.exe

MD5 531502fd99b86924df6c84ed89331e38
SHA1 384b4fc4f639da0138bdcda682a3e0dda2345525
SHA256 ad9949bf0e2984d16e62a3093eb3bd63d97bde59fd5084ce41d64089294e9b7a
SHA512 ef596856a3d15972cc029209d0f76d6615cad3395413a3266a44ff2628c8711a14c1bf0074c6edb16475d246ed08f2c3b772a59d13347fe11d834ea440e73b57

memory/3432-41-0x000000007397E000-0x000000007397F000-memory.dmp

memory/3432-42-0x0000000000250000-0x0000000000380000-memory.dmp

memory/3776-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3776-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3776-48-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\c861ede2eb.exe

MD5 75990096077c1eb9c1da28255e8c6beb
SHA1 522618e1fb7e5c96fd580658b60dbcf99b0355b4
SHA256 d7b867a7cbf5c2ff477ca1baa1d6d437d5798c4d65a862ebd54f85529346b4c6
SHA512 de79349cc9eef97c02bc2ae88f61c8f001573f635b1d6be783cda52366924bda21d3ba5feb3533f5652fb0138ef64a0ea40ca7ac7537193d220d4b5588e3b7b1

memory/3716-67-0x00000000009D0000-0x0000000000A08000-memory.dmp

memory/2716-69-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2716-71-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\7443a7e688.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2312-87-0x0000000000BC0000-0x0000000000E03000-memory.dmp

memory/2312-88-0x0000000000BC0000-0x0000000000E03000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\8609bc97-356f-4c8b-a232-92c21c8f251d

MD5 f4f3885135b1b4dbb0910d68842afb96
SHA1 5d0069c92cd6ae89df21e5462161fc0d65b6da28
SHA256 f664406b18514ab527e5a9e6d748f763155f371bae1b467629e120ba0c4b6f12
SHA512 dde32c5aa030b676cd24ab2f3ba0b557b7c8285903f7c5a35e0280e4159a92f9af1765f718e12fd9d56cbb17ae2de7bea8743c7dabecb4894e5d2ffd8630211c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\105dfdbf-076a-45d9-a827-45708355a662

MD5 6db4cec707effebbb15f363ed9d4909d
SHA1 642a1ed864d4750441f85d919bb3a16a4912cb92
SHA256 3aeb433126fd5fe7009b3c604bb15c44ef913f655d71b55100cd2f0c5fe2a638
SHA512 8b41f1978e6c28a6e94957b51409593fea145844ac68c15d19a171dc0028f1c8847c2f05a9120a887c628e281e0b149be1d9901652b4ba75ffe4225bb3aaffc0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\7ee70754-ccae-49c8-b38e-c7e39b0dc881

MD5 8905141981344c01934d1e0ba46f3eb4
SHA1 ce31a65f22490729faa5a7463ff05ffee28ae7fa
SHA256 741ec953bd332a6c1930a5a99be64aa0d79fedbb1460b8f81638a3055be83efc
SHA512 eedc0cfd6f8464556d703f95629162f3a87ea4cab3f36f4c6137b4fd63932b54f7f2937e81242b313cbef6b2ce9ebd6b2dca340ac92cb7e57fbcc94ebb3c034e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

MD5 efd964ebfb0201b9ef8085c990955318
SHA1 8388c68829327137c5385c86ec7d3f33f5dda7c7
SHA256 1faaaec1a15c33ac1a4bf6397fcc5fd913caed2959d968be5e4b6a9d763bc921
SHA512 e380f0f70d65f4417aaea0d4b1359bc58f4a176847a75ccbe73dfd963eb3d6b3117ef7b0dedf919c365049cb4e74b29cd3eca2504317814f1d163d90f6f1c17e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs.js

MD5 e95d543ff3ac19eb976c173d980f7b66
SHA1 b315fe367eb9f6c49482662e4160df2d67ede680
SHA256 1ef84be5401374b8b731dbbc21abd2b2b83b74a03f638c44b18e1291a8a56426
SHA512 3a8cdc617c805621eea7829ee15a5c838bf956d7e9bd464cef995a29aed78802dbb8aec39a466468c10ea7ee6baf9aa56b4c21d8bda44d27ef73c8da5df59752

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin

MD5 9c00a385bbddab80d5cc4efd85b79791
SHA1 678aad4c98d6a59a3022823e7f9e65d158578921
SHA256 d1e8c3f2bf5e96b3f0a1202182f9bca1fbfaf2c881661fc34ef4d47ca6e74223
SHA512 c0246429e2e94659d03a3aeb10f3b273ea61c6e84545198741dce43a1615249daccb620f2e4d8e64a7bf31035ba852c1a1e1566acd026269697262d84d261ea2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin

MD5 59385628c47bc40dda889355d375ed82
SHA1 692a45606a08da9fb07ab3ca3e8ba5cc688e7064
SHA256 9855283f093f47c163e316380cd95f5cb733040eaa9c5fb783ffafab0d8b0f91
SHA512 2963c0e89b4bbfce3904642538c5d1d8bda47513e328953842b457574d760470b5707e2f700eafad6d8fa44ac7597bcac1d9a2f60961c790efd1a861da89da35

memory/5084-425-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-466-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-475-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-478-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5756-480-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5756-481-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-486-0x00000000006B0000-0x0000000000B56000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

MD5 3e19748ef280ab99505f2ba404c0e696
SHA1 136103167e2882595b050111d7c220cf7fc1d6cb
SHA256 27563ea7cc234ca5650cab15bc397d67c04acbe071b16665474a6a08fcf8c08d
SHA512 89df0ad427a5996410856e29d5fddcde97ea0e99872f6cdf14e86b3f0964e7dd694ff11476d48deb44a6a7da7e767c6304ba003a04de9d7e0857340a594accdb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

MD5 9799303e04fcf3eb2516b51bf621044b
SHA1 ce04020fb8004d646808c113235d1f2d5b33619a
SHA256 4af08213073abb52fa5bbfe9ecf21314dab7546bd932beecf2c15a6b23208aaf
SHA512 4a8584a42066743aa8dcd5969cf41bbdaa78124cb110df03325076bde66f44ec8a3be1f47639229cf043d909d11247624b6daefa2dbc52ad5c111c52e6148c54

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 5f8d42f6018685378f245284733c403a
SHA1 ce66a0290e59cce8d98fcdb6b34a27494e2cbd05
SHA256 ce3cc7a60aab3823251705b77e7a81fa4cfa3a546b7432f7e10f2b386c4e1dfd
SHA512 2e1944b81745952fffcaa213190dbf16b1b1b90b9c7abee94a38410b081b4e49f1820fa3b9726c29b4ceecd7e8730cf590e9886d46a4ba71e69f83a010401d74

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 93f5fc7d2c19ce3e83fd3d643a446388
SHA1 5482cf6a44cac0819b8841c4604512e3d1ca3845
SHA256 3700f28dcc63b34ad1c15fb3259d5df6d99b9c205b617499f1a6037c766b8adb
SHA512 c0b4465845b1c404a0ca597d0b945970c51fd7ff92045466371c47ddcd7853327ca36df7593f5465159efac08d59ccfc92d50bf649a317820cb7d28d4193fe88

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

MD5 a8e25ee6e85c0b93cf0a8628776c3412
SHA1 c6fb3d54e45d76aa1574f0af6e51b9c1638a147c
SHA256 c987f4f67ab406853b7b38003ab47549aa88270991fca2c45918b048e221dab9
SHA512 1ed489a09306a238686c9ea00bb476b0279bd1fb85a4a05bc7328ff69772456881c6d92bc6f57732f3365543160ef659862a0b6858e5c656735fd7add298b903

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

MD5 0f4108178ce2cd7bcc2baea935d63b71
SHA1 672bcf6aa9d6ffcdebb4d2ca6b0e1e6d8136d4c4
SHA256 b4ac1e347155de0a7b34eb6093f8877b6cdc98c257c8e3ac77186fc874b12e92
SHA512 0eef78fc02530e088b329bb7abe2e229b80745bc9bee2778a7f280b11ff8d120c289229b6a52c2138ea7a5f60b5a33aee8ed438297862323fbd28974d0ae1c17

memory/5084-788-0x00000000006B0000-0x0000000000B56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

MD5 327069a1d55bb9b1ab28e8145741140b
SHA1 cafe5269a431b7142bf00274c09db6caa23ca7a7
SHA256 4fb38cef10202d70eb8b9c1a8b38701cb5f6b03a6f9763ae542ea1307fbed49a
SHA512 3faac7de199b8c375b2f64e790c040d100a1817999369b77bc707fdfe5b29569ae122d36b4abdebdeed820c12ee21509e1f3c904cb97e326489ce8a9d5a6dc6a

memory/5084-1110-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-1716-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-2227-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-2605-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/4012-2647-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/4012-2648-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-2837-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-2840-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-2843-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-2844-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-2845-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/5084-2851-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/4792-2853-0x00000000006B0000-0x0000000000B56000-memory.dmp

memory/4792-2855-0x00000000006B0000-0x0000000000B56000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 10:21

Reported

2024-08-12 10:24

Platform

win11-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Microsoft\Windows\CurrentVersion\Run\a590882685.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\a590882685.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2164 set thread context of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 set thread context of 4016 N/A C:\Users\Admin\1000037002\4bdf949b9a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\4bdf949b9a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\22339aa7ee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3416 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3416 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3416 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 656 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe
PID 656 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe
PID 656 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe
PID 2164 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 656 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\4bdf949b9a.exe
PID 656 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\4bdf949b9a.exe
PID 656 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\4bdf949b9a.exe
PID 2368 wrote to memory of 4016 N/A C:\Users\Admin\1000037002\4bdf949b9a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 4016 N/A C:\Users\Admin\1000037002\4bdf949b9a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 4016 N/A C:\Users\Admin\1000037002\4bdf949b9a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 4016 N/A C:\Users\Admin\1000037002\4bdf949b9a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 4016 N/A C:\Users\Admin\1000037002\4bdf949b9a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 4016 N/A C:\Users\Admin\1000037002\4bdf949b9a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 4016 N/A C:\Users\Admin\1000037002\4bdf949b9a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 4016 N/A C:\Users\Admin\1000037002\4bdf949b9a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2368 wrote to memory of 4016 N/A C:\Users\Admin\1000037002\4bdf949b9a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 656 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\22339aa7ee.exe
PID 656 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\22339aa7ee.exe
PID 656 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\22339aa7ee.exe
PID 4716 wrote to memory of 3308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4716 wrote to memory of 3308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 5064 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5064 wrote to memory of 1900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe

"C:\Users\Admin\AppData\Local\Temp\2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\4bdf949b9a.exe

"C:\Users\Admin\1000037002\4bdf949b9a.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\22339aa7ee.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\22339aa7ee.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e579d819-3ef8-4531-8b53-5b54545cf4da} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e54bcdb3-b0b7-49ec-aea5-e854eed0f28b} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=952 -childID 1 -isForBrowser -prefsHandle 1608 -prefMapHandle 2592 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5f6d37c-0af2-48ee-a2c0-68eca2d896f3} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3616 -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3644 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2884c210-3364-47c7-8eb4-ef8e43ede9bc} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2580 -prefMapHandle 2576 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ce4bcdb-7543-45a5-b29b-3cb12ff7d452} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 3 -isForBrowser -prefsHandle 5472 -prefMapHandle 5444 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55a0c5db-003f-4835-81e3-6b8f2ff8fe8b} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5920 -childID 4 -isForBrowser -prefsHandle 5812 -prefMapHandle 5816 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e50b6a5e-6399-497a-a252-305c238a981d} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 5888 -prefMapHandle 5892 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b619d992-70b7-456b-a0e4-a9e74f4172e0} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6224 -childID 6 -isForBrowser -prefsHandle 6232 -prefMapHandle 5888 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0caa6264-7bd1-4e6c-a466-9dec23685dfe} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
N/A 127.0.0.1:49904 tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.179.196:443 www.google.com udp
NL 216.58.214.14:443 play.google.com udp
N/A 127.0.0.1:49913 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 172.217.132.201:443 r4---sn-5hnednss.gvt1.com tcp
NL 172.217.132.201:443 r4---sn-5hnednss.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/3416-0-0x00000000001D0000-0x0000000000676000-memory.dmp

memory/3416-1-0x0000000077B46000-0x0000000077B48000-memory.dmp

memory/3416-2-0x00000000001D1000-0x00000000001FF000-memory.dmp

memory/3416-3-0x00000000001D0000-0x0000000000676000-memory.dmp

memory/3416-4-0x00000000001D0000-0x0000000000676000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 c9fa55d8572cf366bdfa9013244a191e
SHA1 94289da9815d1d2f4fe372a5f3295c23e13009f6
SHA256 2c308b17b9a74b604bb0ca961e755e1a05cdeb8b7368ccf770d385bfa33a9510
SHA512 156bc7fcbf891341759fcc463045c4a6ca52d1aa9c5cd8c5b89f7a6f471f044ca54d0ab23dc4e85cb031a3ca4ec4488651b14843a79e714e4af87427f8d55215

memory/3416-17-0x00000000001D0000-0x0000000000676000-memory.dmp

memory/656-18-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-19-0x0000000000BD1000-0x0000000000BFF000-memory.dmp

memory/656-20-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-21-0x0000000000BD0000-0x0000000001076000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\a590882685.exe

MD5 531502fd99b86924df6c84ed89331e38
SHA1 384b4fc4f639da0138bdcda682a3e0dda2345525
SHA256 ad9949bf0e2984d16e62a3093eb3bd63d97bde59fd5084ce41d64089294e9b7a
SHA512 ef596856a3d15972cc029209d0f76d6615cad3395413a3266a44ff2628c8711a14c1bf0074c6edb16475d246ed08f2c3b772a59d13347fe11d834ea440e73b57

memory/2164-40-0x000000007350E000-0x000000007350F000-memory.dmp

memory/2164-41-0x0000000000E20000-0x0000000000F50000-memory.dmp

memory/4716-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4716-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4716-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\4bdf949b9a.exe

MD5 75990096077c1eb9c1da28255e8c6beb
SHA1 522618e1fb7e5c96fd580658b60dbcf99b0355b4
SHA256 d7b867a7cbf5c2ff477ca1baa1d6d437d5798c4d65a862ebd54f85529346b4c6
SHA512 de79349cc9eef97c02bc2ae88f61c8f001573f635b1d6be783cda52366924bda21d3ba5feb3533f5652fb0138ef64a0ea40ca7ac7537193d220d4b5588e3b7b1

memory/2368-66-0x00000000002E0000-0x0000000000318000-memory.dmp

memory/4016-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4016-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\22339aa7ee.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3008-86-0x0000000000100000-0x0000000000343000-memory.dmp

memory/4016-87-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

MD5 6486b21d96058190c7c2ed0a4a500378
SHA1 fe9691a2d0c7cfe3c5b015271e8bc24f1770d965
SHA256 375dd110e797489d2cf48843d10ef5129fb8a7359b8d0cedc1a86d88447edc7b
SHA512 0c6e13a2632d37a7766c7dcc35fd2cf7fdd5acdb769bd4667840f6c24162d7a0031fba299ba127a1133d762038441d19713167992d0f23795748c65fccb54c9d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\0c673773-fdb3-44ea-8f89-908b924ad2e3

MD5 43c92ca274b9b3a8d98964c5e8aac44d
SHA1 0466fd61bdcf60592b9e2afc4e340ea75c86c48e
SHA256 59eb5daebbfc2f8a78060eaff8523e4d07ad2d143ce8d6b8e09ee33bf61db652
SHA512 8b4d8b3019d5caa6322d661dbce63c3eb99ebfa584c4cc91cb991ac86f9064f6da3a2efcdbff2af5fc278eb8be271ec29147d3933f07f9810e82c91739a80b7f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\aa3a2443-a1c7-454d-964d-853282fcfa71

MD5 28f36f73ecb8a5d45b2b4095e8bdd060
SHA1 21daad9ccc8a415ed4b558d20688c1a55d262229
SHA256 da86510d276105b6a5642d1833cac156c97d9fd50017fc35cb083656511025bb
SHA512 8d76f64ac1901c0d985c55e327b6ccb9fe17860d77349f8e3ccd1e3e2c2d3d51b7bf7c921a2a9aa9f4a1df04ac72b10fd390f5b526c89e08c9b4f6aea0b16f82

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\1b490e18-6a51-4494-9b28-c8bb93af2676

MD5 981d5aeaecf1709a6b196a2af4952b93
SHA1 b35a9580b7f91b45568ee26324f8b92646150421
SHA256 86ee90effa1212823ee7e3700fb0ddf0f98ae0f1124ca3dbf3b89728e725dee2
SHA512 57e132e5e963b76bf72525b64ed35e7ad65945fe8600a2cd078b7f5c0e9befb6f52eaafe2e25668ff282e558910c3e4455ebfe6c57df695024a18d385de20d2d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\AlternateServices.bin

MD5 ce4483c9841e3b847291db92d2e0bac7
SHA1 a53879ad6a65dc25a2dd50090b0e2c6714679273
SHA256 9c63941a69939da43ba80f13ca2b35120145d24b9d5f29089720137c2676102b
SHA512 c26f9d56bb7278f979fbb7e70546f88ee5f85b8e54e6e48426e057eeba53ff1df90c10d68e7e480995aa6d7b6ed346281193827605be0a90d36b5bca6d75ce8f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\activity-stream.discovery_stream.json

MD5 1a7902ba4bf5e0f634c868ea8b413f06
SHA1 10231343a32315fd5a0888c67bcc3da5b007dd5b
SHA256 8835b319b8973536e8c11db81c2924d3de6ee856ef99c79070da3b8881441b7a
SHA512 b9fa83bdc2c482d42fb63bd038a808c1cd274688f3f6ba1c9d93f5b3e9fd7486aceef424318c1920946e34b6f88868005e510e209c2fc35f729c57c14561468e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\AlternateServices.bin

MD5 8ae6d8455ae2652bd8d36eba7fb709f8
SHA1 fb175bd10479fac8e0c9d1aa45316fa61161bb6f
SHA256 37eb13f1a1b7e8f18cea7bab6269418ed3aa75c9dd6a70d2129293bbdaa50dc3
SHA512 b2f41149957d2f10306b77a0cbb01f28c8e85f989dad1a1cff58c6583cb868a3e18c29989f39cfd1ee201c17ae670d7e365bb35f7742cdbf00f6f2edfb7df77a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js

MD5 b43edded714a48a9665b484c660bdab8
SHA1 ca33797d65c29299eba9732154d11a7a39b10894
SHA256 a8671782e2719799f9ab114ee3d7007723f61b17cb696f68f07fbf0600f84921
SHA512 4a18acb3cc5360b26b50a0cdc58e29a68506e5ca8c4403eda5bc951d46ad86de5cbf3c4382fea999771c3a74c13fdc720d67edeea9b483921cbe2b56701a5fb1

memory/656-459-0x0000000000BD0000-0x0000000001076000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\cookies.sqlite-wal

MD5 b40bd9aab678dd447413a1134104b69a
SHA1 df7eecccf22f4a6d0c844e62f466201be1182208
SHA256 03d5a353de9bb4e48e8ee445918af33582c97654850aa23408b972436a9514b9
SHA512 2a22cb1c5c439e23e547a9b933413d1a26216d601d1f3f312d72b9108c5b08c6c24af27fc79f7862a7fb7f025761eee707a9152c37dde8a722b9713fcc32f0bc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\formhistory.sqlite

MD5 97c1441748d6cc3e5a7030cda7543975
SHA1 f5598a45b101a5404126cd27fbb7f4b70861ee32
SHA256 2015b584b844b091d6a6280d45e9a589ea0feacf5f4b19bdd4cc21c60dbaaf91
SHA512 29d358ec7725038c6648251d8b9c32f3a40458e9c97926e0000ab42f0369b96d1ba5216eeb7c35800c740633dfd3b1e6e6aa73859644bdb9cdccaf2a3516bcb9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\places.sqlite-wal

MD5 c62456a2db9e71fb9db9c8da79f67844
SHA1 8f92348c32226a4e3bd3aa105d4aae848dc54afd
SHA256 b95d6ce257cd3384443c9b2ffb7bae3b9410fbff150953394171b335be9a509f
SHA512 d7e39fb0fb6faa170e9e39a5d08e61031d02bbaba746e2f0dd179f33d85051008ce0018c6087aec8f9b91f8b666eb36e6a62fd6b269d52c1541341b071ed55af

memory/656-500-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-501-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/3008-504-0x0000000000100000-0x0000000000343000-memory.dmp

memory/656-513-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-514-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-515-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/4932-517-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/4932-519-0x0000000000BD0000-0x0000000001076000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

MD5 f5ca2e5a79bc9c9990ea5647eb065d15
SHA1 e03ac200c408b70206c70bde8dd33fdfa54c10fe
SHA256 4d159502890a1bac6f2bcfa00bb9c58b7a9513afb2b27c847d7ceb1abcdeef86
SHA512 a1c4b17cd6bc8116a06b40843abf3a57599ec656327145a30c5158034522f0e6399aa7261b1c20087a899888e417abc9af6e8469a807ad4d6f9694325895c1dd

memory/656-536-0x0000000000BD0000-0x0000000001076000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js

MD5 7a661ef1d69958cdb81634ba37e87561
SHA1 cbd108bdb28ea8d0989d84020a5dfb8a3fc06fe9
SHA256 83256fe96593ef3082c49cb937a7e872b72d6ecdcc2c9793663d5bc2e7658be0
SHA512 fbe1a6b4dc139fdb583cd6d286af99ef2e7674464c42ae5a98b7e5d53f9131bc36700b847ba07192eeefd030264f61b1e8fcd342231b9d364d8223e62bedd0eb

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 7ef6b91231cb43dea9c55b6a695e649b
SHA1 1c016853a1ffd14a392a0e71bfc6e7bd53c6019a
SHA256 1fec542c7b508012cc23d26e5e3dba8a8f40a34b5a939e3d2167c9a6acc4e697
SHA512 97e04de62dda91b0043f20b28d55af9714dd83be6a4e920200bcbf4b8ff7bd9566a2ee839dfe3d8efa07476a50318f74e40039cf05cb8a2917d7556616b02e6f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 5bd5c6633b3b70ab1abf9c6ff06443a0
SHA1 fd1d99b38257d4381af7719784d5a73299e5db94
SHA256 e920dc5b7fa3986d663d9b1f5953eab43bb18044464012b6cfe4fd60128b35d3
SHA512 2448a4910f7d527ed40d9b53809b3246bd9d5d1583b1cd3eae339cecb7879507603245c19588d6f3b15b2ed1706124589c775fe8b41d2b421f2483b80ed73e1d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/656-1023-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-1488-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-2241-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-2771-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-2773-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/1904-2777-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/1904-2778-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-2779-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-2780-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-2781-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-2782-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/656-2788-0x0000000000BD0000-0x0000000001076000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\AlternateServices.bin

MD5 3287a267132886cdabcc0de6f20ddf52
SHA1 5eeda5d34642fabbe5b7fa68da577ce44e6a5883
SHA256 dabf2120b0261e843f69b72f62f4ef47ab8c6adb706102c5a2a560c382fcf6fb
SHA512 c466f4c7ddca8125354ecc78224645e563eaa27cde73317d6593b239c72b172761440570f82449666f9916fcf509bdee922684754fe49e2b07874bdb93ea139e

memory/656-2790-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/3864-2792-0x0000000000BD0000-0x0000000001076000-memory.dmp

memory/3864-2794-0x0000000000BD0000-0x0000000001076000-memory.dmp