Malware Analysis Report

2024-10-18 23:42

Sample ID 240812-x6z7xawcpl
Target f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8
SHA256 f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8

Threat Level: Known bad

The file f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 19:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 19:28

Reported

2024-08-12 19:31

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfc59f1b1b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\dfc59f1b1b.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1348 set thread context of 1528 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 set thread context of 888 N/A C:\Users\Admin\1000037002\4141b9b505.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\4141b9b505.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\0e0cad4653.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3788 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3788 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3788 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2984 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe
PID 2984 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe
PID 2984 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe
PID 1348 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2984 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\4141b9b505.exe
PID 2984 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\4141b9b505.exe
PID 2984 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\4141b9b505.exe
PID 3880 wrote to memory of 744 N/A C:\Users\Admin\1000037002\4141b9b505.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 744 N/A C:\Users\Admin\1000037002\4141b9b505.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 744 N/A C:\Users\Admin\1000037002\4141b9b505.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 888 N/A C:\Users\Admin\1000037002\4141b9b505.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 888 N/A C:\Users\Admin\1000037002\4141b9b505.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 888 N/A C:\Users\Admin\1000037002\4141b9b505.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 888 N/A C:\Users\Admin\1000037002\4141b9b505.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 888 N/A C:\Users\Admin\1000037002\4141b9b505.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 888 N/A C:\Users\Admin\1000037002\4141b9b505.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 888 N/A C:\Users\Admin\1000037002\4141b9b505.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 888 N/A C:\Users\Admin\1000037002\4141b9b505.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 888 N/A C:\Users\Admin\1000037002\4141b9b505.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2984 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\0e0cad4653.exe
PID 2984 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\0e0cad4653.exe
PID 2984 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\0e0cad4653.exe
PID 1528 wrote to memory of 3952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1528 wrote to memory of 3952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3952 wrote to memory of 2928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3952 wrote to memory of 2928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3952 wrote to memory of 2928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3952 wrote to memory of 2928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3952 wrote to memory of 2928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3952 wrote to memory of 2928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3952 wrote to memory of 2928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3952 wrote to memory of 2928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3952 wrote to memory of 2928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3952 wrote to memory of 2928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3952 wrote to memory of 2928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2928 wrote to memory of 3696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe

"C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\4141b9b505.exe

"C:\Users\Admin\1000037002\4141b9b505.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\0e0cad4653.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\0e0cad4653.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43539b3d-99bb-4a49-90e6-baee1c286da4} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c192be87-528b-48c0-91b3-d019da75d99e} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2948 -childID 1 -isForBrowser -prefsHandle 3124 -prefMapHandle 3376 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbda6e92-7905-48a2-9e82-497c26fc5fd9} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3652 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3de7903a-9e7f-4c38-a206-d7e702f4d284} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4660 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4816 -prefMapHandle 4804 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84773f77-09cf-4f23-8625-ce07efe8b0b6} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4820 -childID 3 -isForBrowser -prefsHandle 4864 -prefMapHandle 5448 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21278220-e757-4859-9a60-9d60cfbc8870} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 4 -isForBrowser -prefsHandle 5688 -prefMapHandle 5684 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1003d4a9-b8b6-4516-aab2-d2d834de4486} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 5948 -prefMapHandle 5944 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bf1f800-7cca-4a5b-94d1-5232b90aee60} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6316 -childID 6 -isForBrowser -prefsHandle 6280 -prefMapHandle 6296 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b6be17e-a8df-4fc7-be8c-8db052b1edaa} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:60294 tcp
N/A 127.0.0.1:60301 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 205.86.155.35.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3788-0-0x0000000000290000-0x0000000000768000-memory.dmp

memory/3788-1-0x0000000077954000-0x0000000077956000-memory.dmp

memory/3788-2-0x0000000000291000-0x00000000002BF000-memory.dmp

memory/3788-3-0x0000000000290000-0x0000000000768000-memory.dmp

memory/3788-4-0x0000000000290000-0x0000000000768000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 2e2977372ee576ba8ebb129e504a0f67
SHA1 e3b233216c22918b1726bd6f14036e0ca625ee8b
SHA256 f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8
SHA512 cf88d2deac28308cd53b2085ef1cf34df1e1b152afcef7ab67fa4c26725262b70a2b9139adfd4b61fcd36470a94638b424a0b0a72ebaa62727566e2c8798e3df

memory/2984-17-0x0000000000270000-0x0000000000748000-memory.dmp

memory/3788-18-0x0000000000290000-0x0000000000768000-memory.dmp

memory/2984-19-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-20-0x0000000000270000-0x0000000000748000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe

MD5 287552245031dbfba5adc56e5595f06b
SHA1 bc243787cfd42946785ef87f47066d9d26d8693d
SHA256 c48ecabd6f927fb1c758a5cbdd416e6f64f49ae2734b39a028bff15e55fed27f
SHA512 631a29d55b04f807e989a4021b934557b3a7bef7329d5cf9dc8caaafac1b408b227ffe9b9c19eea55d4a412ae19958413500d078dfe4f87cc0fd8794ff797d66

memory/1348-39-0x000000007356E000-0x000000007356F000-memory.dmp

memory/1348-40-0x0000000000A40000-0x0000000000B70000-memory.dmp

memory/1528-42-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1528-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1528-46-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\4141b9b505.exe

MD5 0062f8023ae661666d3878556e8dd739
SHA1 93874148f18869b9c2bc0bfadae20b7a7c4dbfa3
SHA256 83890cbc687e678653b1a67c6affb59a37dca660ad16c6d4f39dff8669aa6b3f
SHA512 7e4e9e7c83c28d4d0c7081f21105c3dc6a13d5fd5dfe6fe9256d12a56a63c63491738ad592527b07c35fbb00f86def4d875c753389c50966474b9798bf3af6e3

memory/3880-65-0x0000000000710000-0x0000000000748000-memory.dmp

memory/888-67-0x0000000000400000-0x0000000000643000-memory.dmp

memory/888-69-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\0e0cad4653.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2408-85-0x0000000000570000-0x00000000007B3000-memory.dmp

memory/2408-86-0x0000000000570000-0x00000000007B3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\6d1c8558-9af3-4c43-a836-3d3d29518e61

MD5 c59fa65545e5a19bd2eb5496253a8def
SHA1 659818777197042b25ca2613dea4316cfc3b4bdb
SHA256 5e21f52bc799767d5b2dc767523bf9b3c712a1169d557299328b9f670f740389
SHA512 292c14a75c22f5e07d482257801c70e75631efb385c6c600f446323f526bed4dbbfffa371e5b997c986ce8b91eccf18deaf589a960191742246acad57c645aac

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\ad769079-d5b7-4ae1-b910-8afd8211779f

MD5 07191d579a4c4b29dae27a6bee68dbba
SHA1 866c43f97e5c79b97a7068e067886f953dd18031
SHA256 5ff12f7f1f68f928c16ede4b6d1f0f801bc6d540055c4ffc64037f2bb2dbfadf
SHA512 3175358b4eb76c94bcd3197b3f11d480063c1222d98ab37c95f30a08cc89096e45e364bdfff59c001a7d246f8693802c3be7fa34c19ab6a88236f85fadd48e2d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\5d67b568-6385-4afa-ab68-14e8096fbe4f

MD5 e6119eb753eea42656218964ce44b5d8
SHA1 89a07d240c3d81fdc82659ba461ae8a8d0a17c65
SHA256 229dcef47565e30e6644fcf69999933fe6847166162fcbc6a0d5a66afba92898
SHA512 b0bba064367f62d663bcb6b6b577948a65e9ef4173829a7e3a7ca8f5158e08512804977af8ac9726643d5fa847f1c6b7f72da28391dcfb47906064fd564ecad5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 9b0c3d16d47ce5f4672c93191d1938c1
SHA1 e1ce186656fafa35a0f5632aba49fc1e5c9915d8
SHA256 8a979acaf554f6e688ded35905574e7a59d3a3c4cbafba3963e0eb0473a4992b
SHA512 ed3d7cc6321f6c995395c48f319073b872fdbf06663d4602e51c912fbd0734d0eb632835b5d95506ad78817565a2ea4eb65a324906581d5f67505e38096b1b7f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

MD5 e40e64264e2df395853166d3ae9d7cb9
SHA1 80150c0de6f2fe790883abba22e36d1bce8f753b
SHA256 be0999beac99081a51a4a7034c2ab7392361997a838e0bc48412c4c28df3749e
SHA512 d808741a76182d03ad644a038414e4c337e16e9ccc92e2749dcc1113de7399f0b5e5f79f8d95e79bde8219b69c682d7e56b76ebbf8a059605282d88d1d5495fe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

MD5 a64335eeb9fdff0c1b2d3ee3a425cd2f
SHA1 642fde0744fd5f1fa9411359e835c328ca852ce5
SHA256 b7cf89267fd63802d9bf2303dd5e8b1ab5c4239d16c0b1590ba3a06bff19750c
SHA512 c3f50030380bb234d177a8de4e0853100f506781376a768d93293569b3427f8a36245d71ddb5b4bae89493331a49ec5cbfdf319ea47ecbe5e07106f2ee29cf88

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

MD5 96de6b44363efc36abd2cc3b42a2abc0
SHA1 6bea8774e5ed153f71997cf39eb1ff567b75168e
SHA256 2cf23d36ba3494dd94423c34929792f730504041df144d3ef660a5f7c262da7c
SHA512 221c80d63652dfafda0312bf490ddf133b04d9e3114dcf4d17cb5f3d86018da26fc3c14645d2510416cc4b482de9bec73ec5bc2abc70015a6934e75aa95d53a4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

MD5 069cdf20124e700c3db102ac02891803
SHA1 3d551139d7b29f0815d9e485b6e8fa71c069e281
SHA256 625de0267d036b5bc10073efb675d8b85546dcaa1c370613c84a3f5ce599bfd4
SHA512 36770b187c68217ec856929813f56690a53547850c72e6e14e1191643e0e1f15e81cc0934c61d36926ab9a9a6b22045689ca2f3861139fb8343499723b1ee83c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

MD5 9cfc86bc85e0a2d5c66f02a67b296d10
SHA1 21f5794a7b78d7f4ea91fb2e0963296433cfd781
SHA256 ba85b3a91f5fb5c2ed5645a1ddbb8361117f1b9807f66d2f8f95282a0862117c
SHA512 48e4391e9af2f1afd3c423df00c6fb28324efc5277b1d9ed382b72c909435d10c3bcf23cd4da6620f2581364fa95812d06d5da70e7a8691e0c190ca49ec23286

memory/2984-428-0x0000000000270000-0x0000000000748000-memory.dmp

memory/5156-440-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-439-0x0000000000270000-0x0000000000748000-memory.dmp

memory/5156-441-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-450-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-453-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-454-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-459-0x0000000000270000-0x0000000000748000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 2dd70bae353142e586e849927cdab789
SHA1 41be3969483e1aca9b1433ac28492cfd00a5c8a8
SHA256 d9f24b5335b53498a994930ec6eb4e47297b65bd98b41dc88b753676d8c0fda8
SHA512 e34f01a87c8ac3e49a62dfcb84ca2afdfd6057a27f75bd31fa8996bd70b82aa57de10c544ab6cd7538e6a38f0a6a2a26a7e9af5ea1a5b9393d1cc22c1621b879

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

MD5 e4714c1c1b1cd20b8e0f4393ccfa26c0
SHA1 18b344877825ab487ddf3389f8867ef3771591ae
SHA256 f246c75fbc98bb21019fd6d03f817283cae13da6c5141a473209adb09b9659e2
SHA512 80721a1e00b62685424cf90d9bb994f306430e33af543d68e44e6c15bb2c6cfc132fe271122b7a363f2a178863f97905692d1f06148bfdb98808b700707663f2

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

MD5 b2e197c8e6f6486608ee11e08a3d5333
SHA1 0c21ef3aee1cbce7ff5525833977ebe5eda5568b
SHA256 49826c2ee49282d48b783c7e351c8056c2ecb773deee6335b44543a02013b134
SHA512 b583187b51c8fb79743f6629bc935ccf39761676269e881894c8ebba3e8beffeb3cc781b325a80572003cadc46f89fea15a435e2ce16d165336e2afa6419b712

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 1781fc02cce5adc9960ed8cc6b315cea
SHA1 6677afa80331363bc486171b7b03c93db301a705
SHA256 a7099a1497c29013ca9cdb68d2b1090f51592c9510069f7cae12771ed872f1a6
SHA512 44eafc7dfa991e44c176027f34f16cb321df663303fe87371f68948efb9ca7dc14e80f0da327afdd7db9810ba7d238ae89436c99767487f40a79d01553e20411

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 3d38d44622aed00a72970242cf951171
SHA1 f27408ca062a2039ee148cdfa443b8ee6724ed82
SHA256 fb3dda2cfe013310f7a6afd222e3f055d20e89f897bbf174f4e69e79ed7aacb4
SHA512 05a0bc96ae25c14f563f8e23d7dfd983e96d4f439800c8705f062ed939a1928622da5c5d438a1da7e4392fd2906e40bb362bc3ce9a7d86ac3e6c942b55a7ef51

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

MD5 6d2694ce22e8fd28eb0b1afdfe8e3b67
SHA1 198dbff70cd1cffc2e43c137756429fcfec70bee
SHA256 b43aed514b6c2197c18de679d538e405c258cadd06f23c0508b2bcd6b8f049dc
SHA512 d37144984a233b38da605c204f5fc7901c9364410605d8ac642511c1571af12afad068b29497cc6cb89d4879c94991326f72c94c22f2e2f35fa1c9294d034b0a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

MD5 3be24d307d500b6226e096ad9987215f
SHA1 6883add1728bb72c07e0ceee6d27a22cf844008f
SHA256 39a656f284d94dd6999c19e965256305d24cdc424dfa30c41d8d8f82c4ae0f9e
SHA512 a5a7eea6fdd2938d1a007fd056f22f57280b7118a9d299c73ed840ba1316501751b930ac11220e814b389f5d462e4a5991184d1b711eece5265cf6b4b60262d5

memory/2984-1013-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-1644-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-2496-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-2719-0x0000000000270000-0x0000000000748000-memory.dmp

memory/5984-2724-0x0000000000270000-0x0000000000748000-memory.dmp

memory/5984-2725-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-2728-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-2729-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-2730-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-2731-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-2732-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-2738-0x0000000000270000-0x0000000000748000-memory.dmp

memory/544-2740-0x0000000000270000-0x0000000000748000-memory.dmp

memory/544-2741-0x0000000000270000-0x0000000000748000-memory.dmp

memory/2984-2742-0x0000000000270000-0x0000000000748000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 19:28

Reported

2024-08-12 19:31

Platform

win11-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfc59f1b1b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\dfc59f1b1b.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1560 set thread context of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4560 set thread context of 2040 N/A C:\Users\Admin\1000037002\0e0cad4653.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\0e0cad4653.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\99f358204c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2224 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2224 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4052 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe
PID 4052 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe
PID 4052 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe
PID 1560 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1560 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1560 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1560 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1560 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1560 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1560 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1560 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1560 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1560 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4052 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\0e0cad4653.exe
PID 4052 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\0e0cad4653.exe
PID 4052 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\0e0cad4653.exe
PID 4560 wrote to memory of 2040 N/A C:\Users\Admin\1000037002\0e0cad4653.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4560 wrote to memory of 2040 N/A C:\Users\Admin\1000037002\0e0cad4653.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4560 wrote to memory of 2040 N/A C:\Users\Admin\1000037002\0e0cad4653.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4560 wrote to memory of 2040 N/A C:\Users\Admin\1000037002\0e0cad4653.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4560 wrote to memory of 2040 N/A C:\Users\Admin\1000037002\0e0cad4653.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4560 wrote to memory of 2040 N/A C:\Users\Admin\1000037002\0e0cad4653.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4560 wrote to memory of 2040 N/A C:\Users\Admin\1000037002\0e0cad4653.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4560 wrote to memory of 2040 N/A C:\Users\Admin\1000037002\0e0cad4653.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4560 wrote to memory of 2040 N/A C:\Users\Admin\1000037002\0e0cad4653.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4052 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\99f358204c.exe
PID 4052 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\99f358204c.exe
PID 4052 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\99f358204c.exe
PID 2972 wrote to memory of 3308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2972 wrote to memory of 3308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3308 wrote to memory of 4016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4016 wrote to memory of 1016 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe

"C:\Users\Admin\AppData\Local\Temp\f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\0e0cad4653.exe

"C:\Users\Admin\1000037002\0e0cad4653.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\99f358204c.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\99f358204c.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b5ee4ea-8e07-4bac-8662-dfb88c42100b} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2332 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83ffd137-0704-4b46-9e77-0eea5303c03c} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3272 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3260 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d921ccf1-b0f9-4334-bae6-11361b9aeed3} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3628 -childID 2 -isForBrowser -prefsHandle 3984 -prefMapHandle 3980 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b0cbf31-5e12-4441-aba0-9ff45e747656} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4736 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4728 -prefMapHandle 4724 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {191a680a-3435-45e8-9532-2e8e1ac9111c} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 3 -isForBrowser -prefsHandle 5504 -prefMapHandle 4472 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5012300-47bc-41b0-a3b9-ce724c5d4c97} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 4 -isForBrowser -prefsHandle 5640 -prefMapHandle 5644 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb610763-9042-4325-acdf-29995afe06f9} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5956 -childID 5 -isForBrowser -prefsHandle 5948 -prefMapHandle 5944 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b712c615-cc48-43d6-b928-e653e3fa14f3} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6292 -childID 6 -isForBrowser -prefsHandle 6280 -prefMapHandle 6284 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2850160d-2333-4cb3-9a08-87cd5d824eed} 4016 "\\.\pipe\gecko-crash-server-pipe.4016" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49885 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
N/A 127.0.0.1:49892 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/2224-0-0x0000000000C60000-0x0000000001138000-memory.dmp

memory/2224-1-0x0000000077AB6000-0x0000000077AB8000-memory.dmp

memory/2224-2-0x0000000000C61000-0x0000000000C8F000-memory.dmp

memory/2224-3-0x0000000000C60000-0x0000000001138000-memory.dmp

memory/2224-5-0x0000000000C60000-0x0000000001138000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 2e2977372ee576ba8ebb129e504a0f67
SHA1 e3b233216c22918b1726bd6f14036e0ca625ee8b
SHA256 f498dd150cefdd1dbef22f6aa1d9eea874df340a4e778d8fa71680ceb8e47ca8
SHA512 cf88d2deac28308cd53b2085ef1cf34df1e1b152afcef7ab67fa4c26725262b70a2b9139adfd4b61fcd36470a94638b424a0b0a72ebaa62727566e2c8798e3df

memory/4052-18-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/2224-17-0x0000000000C60000-0x0000000001138000-memory.dmp

memory/4052-19-0x0000000000DF1000-0x0000000000E1F000-memory.dmp

memory/4052-20-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-21-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-22-0x0000000000DF0000-0x00000000012C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\dfc59f1b1b.exe

MD5 287552245031dbfba5adc56e5595f06b
SHA1 bc243787cfd42946785ef87f47066d9d26d8693d
SHA256 c48ecabd6f927fb1c758a5cbdd416e6f64f49ae2734b39a028bff15e55fed27f
SHA512 631a29d55b04f807e989a4021b934557b3a7bef7329d5cf9dc8caaafac1b408b227ffe9b9c19eea55d4a412ae19958413500d078dfe4f87cc0fd8794ff797d66

memory/1560-41-0x000000007347E000-0x000000007347F000-memory.dmp

memory/1560-42-0x0000000000500000-0x0000000000630000-memory.dmp

memory/2972-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2972-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2972-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\0e0cad4653.exe

MD5 0062f8023ae661666d3878556e8dd739
SHA1 93874148f18869b9c2bc0bfadae20b7a7c4dbfa3
SHA256 83890cbc687e678653b1a67c6affb59a37dca660ad16c6d4f39dff8669aa6b3f
SHA512 7e4e9e7c83c28d4d0c7081f21105c3dc6a13d5fd5dfe6fe9256d12a56a63c63491738ad592527b07c35fbb00f86def4d875c753389c50966474b9798bf3af6e3

memory/4560-67-0x0000000000E00000-0x0000000000E38000-memory.dmp

memory/2040-69-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2040-71-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\99f358204c.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4264-87-0x00000000009F0000-0x0000000000C33000-memory.dmp

memory/4264-88-0x00000000009F0000-0x0000000000C33000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\6b7a6aee-a19a-409a-a414-ca81535390bd

MD5 2a2a1f3bb6de118b0f63a6050ac45bd5
SHA1 bd1deb1732237e197505daffac872b4c06087166
SHA256 f0132b69e92a2ec48be69b00a81436f5e1cb6f46263601053424356ffc6915d4
SHA512 ef5f74bb1e28acdac43800ce9e69a134ab27c42c735a337bb26475468f62f59e6d9b81272cc0036b687e5e13455d7644339295909e8d7c2b31741d251336948a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 34eb86ddc42b1c2fecc1cb4ce05e92db
SHA1 6a7266329a2bea21d7147c8a18cc13882e06af30
SHA256 f68cdb275885909b7f38dc96da5d3b86ba591185d65a4350577d86a720d6864a
SHA512 5b14e215915af41b227738a39d37fb4ef9575eb52f84969d5b97d7e866ae4bdae20d393507065043d51043ccd67059917b52d059d772c93b55b0ad6735082e3d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\66a85559-8f66-407c-ac9c-1cdbc6576a98

MD5 a962e8bfb147cac717e790858a216d82
SHA1 104741f7044b58477c8818cc426507f8ef0f696d
SHA256 21713c951307d3f6f04caee4debdbddc8180256661edcdb0350a20add3e675d5
SHA512 67fe8cbf82619dccde1d2fe5607a271e778360a897f939a30d454bcfebd26fa5b0f9e5e8806d51f60fc3312fef5520c77bf682f240e642167f447047b8c3034d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\32e38795-73ba-42f3-9900-68115b98fc87

MD5 d9b45a08f704b696112abdb3883ff3d8
SHA1 520b2bc49eb59fad504bfd726668c5eb4064cab7
SHA256 2cb8451295abab9edebdbdb7d1eae5bfb9cdd3b30284e6c3f9ee166f234c089b
SHA512 7930b29911279b4b4e460412923a70cf169056f8d5881605e2c4c3f483ceca50c8211e5dfce3c1a23f081a6b19783eeecaf212b819c1aabb2553ca7b1d40501d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin

MD5 1c4b698e012b5030ca005710092563fd
SHA1 525d82148feb731ff47c5b1bf449725b06d34456
SHA256 9814b09e11ab37e137f8ce35489e3a92414264a1f39673c543676c668600cc87
SHA512 ad280be88b7b8bf127408772ad0c621bf308e96c2bb9ec22f40de437a77e1a7abf584ca659ec121f6d8c778b28df6a56385b9a49daf37194715bca85c61283be

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json

MD5 4c81b2385741815d4bda8701c8a08c93
SHA1 8e09c8267f9b678e4175191b6222a8a9f604ef28
SHA256 409b740b8cffb48693442c3c6e381bb4cd1bb987f350ffe7581e7d7ef5052273
SHA512 77ac985ec8b1871e06a449dead6b421034b0205c8a66045c9609ef3b88e2ee7f00acf71181d33621ad2087fa530bcb34ad81d0f562d5f7b81c85982b146a3b6b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 c1922c66d9ae0a236357682a616b2298
SHA1 e8fbbf69afe2c084c2296381085f4aceecbc48fb
SHA256 cfbe5e8e89e4ae342d9af376803c11e66103a43975e907419f9b9fb0f53891f9
SHA512 a02fa0d10406e54597fcbaa6f71cfc80e9fd0859ddbb51257b8383f375743adfa22e51da66c969ea947c7410cec741ccba302183dc6ee71e03cb64870c6b13ba

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin

MD5 bad269d8367c1b2902c7b4b4a14f5270
SHA1 ea8a570949893a81d8f67e3016d49a4c1dd5bb6f
SHA256 11767c43ac38d84ca8c87e0d2ec6da794673d6c4bfface880ab36fd1ea7126d2
SHA512 6c6d44791bbbda688e76df72f0429be807a844944da82a01a9f1e2b531f101efb8c06c70f480928e63713919ca4bbe1d7716ca11e1747d371c48de0c6f0d3c87

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs.js

MD5 a0804141231899b1f08b0cc4063c0ad6
SHA1 9eb0998d2708ee82e0c3504cb07fd3098a52b245
SHA256 c4f460fb28babdd8161c091cc6b9c83a67e39ac8fe20fdb639abe95b4804a026
SHA512 50246b6fce94155b04f80e5019e43e88508d409cb3cd7629477fc7f3d1e4a7aa336559b78f0c2bc4a411cc0ad8b147d1475ea0f05f5f7fb1d227e84a72966b9d

memory/4052-413-0x0000000000DF0000-0x00000000012C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs.js

MD5 2e3edea57adec6d658f57ac7ab606cfd
SHA1 3de8830086457178c167f3a3731d04bb9363638b
SHA256 458be141f13be29033e1072bf7fe955fe0d8f4da0cbbcae5796c1d38577410d2
SHA512 9c93b8565413b53cecfb3ece602f6e5f837128c804aee15373216b373567b53d2c3b1cd3406bbbcb6f1f4f043d559bacd82f5da67e16a1ef5b371bb183def6e9

memory/4728-450-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4728-456-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-457-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-466-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-469-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-470-0x0000000000DF0000-0x00000000012C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 86ced1a9b6db269bf94cf75c35d7d526
SHA1 c7185157b8affe62250f37647fc1745671a328fe
SHA256 d66100e579b65305896a43ff4b1765d3029b6125b6442c00238043ab6c5af588
SHA512 f8bb3f90fe96d694a23981f340be556960fad6a419a5479442788e72b69ff6f918b5154cb0adaab2311fddcd4ff5164d06d47538883b11ea4e4fc50cecadebb1

memory/4052-483-0x0000000000DF0000-0x00000000012C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

MD5 ff1b06a0ae7c93aa4d72f804fc06c758
SHA1 73a164f9e92583bade67ebf27c9dae8a1c9490c4
SHA256 57be2b27b8528c5805074729b8b18e920f7abed69920b38a4dca2d49466bc786
SHA512 a65824543389418d27c2e8d94f0c58143e11d3148e1ef51d3044f79b6ccef3c42cafe947f2859e4fcf2dd3926ba93b58e06af55a65440395da2ddbc65cbc8e40

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 29cfef1b52704542a9d2d673dbe9a1ff
SHA1 5a131bc782b140df735b6cefd871aee834553b38
SHA256 4cc59c6c223401b2238f5d53dc29ad5bdf629af84d1a2e9f8c0ad210a9de8dcb
SHA512 340a7bc09536e20610d9e61e633779a442b5afe47a652d6479b1b18dcf477c0d34710f2e8256ddc22e1e88f74a2c30de6be70bc7bd0a9d4122923587ae2f6212

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 3ca1c21e18352f63afef9e188a813ae6
SHA1 387d02132e4eef29f14e7af434245533c326caa2
SHA256 a01682945f4d21e76d399c05327c0eb12f8428019df891bf6896b1f404f4f35c
SHA512 47c3c944fb8da2c1e80e2cb809b2d06fac9237ffcaa285106176ba5c829ee862c43af44122dfba0196c9df82da6bec7869fe851dacd08edd63252a3552e9e43b

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

MD5 cf229914a6614806a9d5465f0528d636
SHA1 dd51c6c9079ae501463772c13f4f89b19cabfb0f
SHA256 9b2b6d0dc63cc7432141a77b59c7563c8a70b933cd8d26c8eab9bca19ef661fa
SHA512 ace41f81c60ce2cb6ddc6055e9db0b98649aba8279a5323a4de5f7b3b881965719ef3dd1f61cae1918ae45d1740f9489460ae68d2bfd64a9d0c3b78354f21427

memory/4052-1049-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-1794-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-2583-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-2630-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/3376-2635-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/3376-2637-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-2638-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-2639-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-2640-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-2641-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-2642-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-2648-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/3932-2650-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/3932-2651-0x0000000000DF0000-0x00000000012C8000-memory.dmp

memory/4052-2652-0x0000000000DF0000-0x00000000012C8000-memory.dmp