Malware Analysis Report

2024-10-18 23:41

Sample ID 240813-a1z9dszeln
Target f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634
SHA256 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634

Threat Level: Known bad

The file f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 00:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 00:41

Reported

2024-08-13 00:44

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5ceef40c6c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\5ceef40c6c.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3016 set thread context of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5048 set thread context of 3184 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\d6212392b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 720 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 720 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 720 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4116 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe
PID 4116 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe
PID 4116 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe
PID 3016 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3016 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3016 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3016 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3016 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3016 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3016 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3016 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3016 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3016 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4116 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d6212392b6.exe
PID 4116 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d6212392b6.exe
PID 4116 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d6212392b6.exe
PID 5048 wrote to memory of 3184 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5048 wrote to memory of 3184 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5048 wrote to memory of 3184 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5048 wrote to memory of 3184 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5048 wrote to memory of 3184 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5048 wrote to memory of 3184 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5048 wrote to memory of 3184 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5048 wrote to memory of 3184 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5048 wrote to memory of 3184 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4116 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe
PID 4116 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe
PID 4116 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe
PID 1448 wrote to memory of 2176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1448 wrote to memory of 2176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2176 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe

"C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\d6212392b6.exe

"C:\Users\Admin\1000037002\d6212392b6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcb52d5f-380d-447e-b331-9169b8551ee3} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2336 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b2e420f-9d16-496f-bd57-847f05481e2b} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3036 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1853433f-9fc9-43eb-be07-f5ec67431c2c} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3876 -childID 2 -isForBrowser -prefsHandle 3868 -prefMapHandle 3016 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4de5bdea-795f-46a8-af25-9a3b29f1b732} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4740 -prefMapHandle 4736 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5a17bbe-7cec-43bd-9b60-31595eb287d0} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 3 -isForBrowser -prefsHandle 5712 -prefMapHandle 5708 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {345bd2cd-3b30-440c-8243-b88a9a80e16f} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5980 -childID 4 -isForBrowser -prefsHandle 5972 -prefMapHandle 5952 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e213a43-a769-43e7-a03c-927fb6069534} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6120 -childID 5 -isForBrowser -prefsHandle 6112 -prefMapHandle 6108 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1a717fa-e71b-4e3b-bba1-9d000c05ac18} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6096 -childID 6 -isForBrowser -prefsHandle 6196 -prefMapHandle 6200 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a11de0a-936e-4212-83a1-fdbc7885e539} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:64724 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 205.86.155.35.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
N/A 127.0.0.1:64733 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/720-0-0x00000000007E0000-0x0000000000C9D000-memory.dmp

memory/720-1-0x0000000077684000-0x0000000077686000-memory.dmp

memory/720-2-0x00000000007E1000-0x000000000080F000-memory.dmp

memory/720-3-0x00000000007E0000-0x0000000000C9D000-memory.dmp

memory/720-4-0x00000000007E0000-0x0000000000C9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 d27e91c1a583fbb0ad75d1ed0e071c36
SHA1 5d0490f1a41e7db58173b22e0987a580ef4948b7
SHA256 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634
SHA512 55b2ba4d4acbd72e1dbcd8787d84428bf45c6907eedcc2ecf6592faec0227c760f599cffadbcdd81214037ad46d2c7668716a6b137814703c83e76b67981652d

memory/720-15-0x00000000007E0000-0x0000000000C9D000-memory.dmp

memory/4116-17-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-18-0x0000000000141000-0x000000000016F000-memory.dmp

memory/4116-19-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-20-0x0000000000140000-0x00000000005FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe

MD5 e9f451fbd9478da22063ad6442b7645b
SHA1 dd8e4124804fb5f064fc990a25ac3c61e21cf58b
SHA256 64a837de134c3db432c0b4a3b02dbd67d72fb85a93fa709536af8660582ec030
SHA512 31a019ca16404674bf92a8a716d85cb25aae5e6257d1146c7dd08c08c468c784a35a3f798867d29c349ce61fc536f9357dfa5ec743e2de7e6620a5f4c0d00bdf

memory/3016-39-0x000000007329E000-0x000000007329F000-memory.dmp

memory/3016-40-0x0000000000CA0000-0x0000000000DD0000-memory.dmp

memory/1448-42-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1448-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1448-46-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\d6212392b6.exe

MD5 3ee6242a7467b2c61eb54c046cbe3f22
SHA1 2665e1c82be292d67de5f5b3b740c709d8515cab
SHA256 fd49efadc4c19544493788e57a9433cbb89b740ed4a20e5c7b969dcbcbb853c6
SHA512 c67cc3ee3203356906474eea9a265003678975af540da638ccbe788a47031d8aab35242c88d13792dcbdc4f4f02efacebd35b205f83d341e68584cef7aa3f458

memory/5048-65-0x0000000000220000-0x0000000000258000-memory.dmp

memory/3184-67-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3184-69-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/5016-85-0x0000000000370000-0x00000000005B3000-memory.dmp

memory/5016-86-0x0000000000370000-0x00000000005B3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\cbd0e411-82b3-45c7-aabb-4c9c6b795f10

MD5 f83fb5ac3a0b16be70b42a5da913ba1c
SHA1 6d6ffed374aa4839ad6be9ed299cf5613f3380db
SHA256 435ee58acf1fc695b32c2ad8d3261fc906e6ed0c5a5190712fe8612c1278e512
SHA512 a9ed597de2c73c7b70501f73906a4575c5fd7ac4fecba5eb954e5f0e66a243ed60612c8e909e1cbd891ba913e41d4638b401e169a4e88f947fb0ec9d7a6d8ba1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\b3a138df-433b-4c25-8c58-afa88dab2b8a

MD5 fb60ac4072ade9b1fcfb1c1af8a4aeb9
SHA1 c6cb7ef3bad941b7e078a2c5a0b2590c0e8c9711
SHA256 2563060d83a1c09cf05ceae4aec862cc33bf6c674fa9b8baeef53567d90dfb3f
SHA512 d6c898743a01e6b35db7791511be620e4a5c10d59d9dc20089085c3e9c7735b0221b38492147c7daab72bf5142cca57dd6373e47905dfc007401138f111c03d0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 06cd327f2abb88af2cb3cb5c4aa0ade9
SHA1 81439e26da78d6aa729ecdb99ab2b5e4110fa163
SHA256 7e129baf641732321f69ee2890e565b7c5da2a47314e4bdf01c76838924015ce
SHA512 17e6f95e8cf9f6e0d38a000fd5d8ac07ae6d049a41e6efd1e7e35bbf52eb07c85091944a37397cd301be731fe0be644528b75f1124ebe48d4bdf64ae7596e589

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

MD5 e507bc05c1b7649bdd3611982537d467
SHA1 ebeeb431bfc5bf22377cced9315ca69762b38cf9
SHA256 d30070f61f20ad6bdad0860fef8edab015d74da6a304023e5f4f834f3fc51199
SHA512 3322c1364989035683965e9284ba07252531adb4db4107841165d788f7036a38fe76a078ae95522dbf6138342b56801e579afe1a0ec2da73308dee719670946b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 ef9183b88796b03113a26ee12103079d
SHA1 3a3a6e91238465ea9769141b399663c96a6ecaeb
SHA256 ef70e7c8ce71c77c618215430e469a40edb1646346905ea009d794513fb7aa6b
SHA512 3c49524ba2c438910428a4b9c777290555d015ffd1b45d9695e9ee236ec8ff467ccbd603c6c9e9cd5b0bf733a4d8720047cced99574b11d2c5d711bfe7a589d1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 e41013ad8c05f6f440c96ccd2d809fed
SHA1 2792b4c39af48897803cc7a126877afb734a6176
SHA256 11c348531457ada49fb3f29fcac9babedc773c56499ec58b0d76c2bed0481f1c
SHA512 46e35e396e10055de2792a288e659ee5f21afd91a17fe072b9f9bfc6c0c0eff06b280751dd4ea7d458c225e474aaa602de81b2844f270e9e30e398da2eb5c648

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 de382925ab34f2dc7bf1e36db5abca03
SHA1 22987b4a4f36431aac0bdd881a8169603a712a56
SHA256 03f38d9aeab9c3a3c3a2f95bad750d358b1f5cebde724096250ab3dd74f68843
SHA512 39234357a061de3e349607d2257e2ab4d568c9f64609dfe51b24cde650d6bea33c85b55ec6e58c5588d2e4744b29b3eac3f852d97f79920d7777c30c0b5e1d1d

memory/4116-402-0x0000000000140000-0x00000000005FD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 bba418fa52527d5a9ebb716ef0c4c0b7
SHA1 319bc71df67f427b5721c423a45942c2b61d03e5
SHA256 fda11fb7f7ed812da3ed1bb1f3769819ac715f25104c41c127c2cd47f31399ce
SHA512 64e25f7b60111d4a65264096e720e19a61af1599b7ab6aad01fa98582b44cd38bb37fa687c62d98be31bff346afa83ef192a5b11c6513bdb8cf8afaeba632aad

memory/4116-432-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-441-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-444-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-445-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/5812-451-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/5812-452-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-453-0x0000000000140000-0x00000000005FD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 d37db0ac5a4c632ca3b52cbf97bb0115
SHA1 6abff479e2b9dd7fc9343c9dccdefdd34edbe4f7
SHA256 99095313bc22be50bf40c5440b3c2e7880910893968a47272c5154c103aa255c
SHA512 baae7be0ea218aec7d93785bf9b63946fc72b3596331e19722fec87c65d094983a4815c829bd96a7a82e6062292dcd5989c03b0fdb7fbc65c29483102390357a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 e06891169a49007d2d2f945f6c147821
SHA1 a714bb221247428270b58cebab0ee1449b4dc2c1
SHA256 7e3a6d6b9ee2151e485f398b914c10e39843de1c09cc3fef1a9a9619273e83af
SHA512 91ba2510e67d07d395417fa0fed8e706ab2d98f882228277438e6389837c95b00935e0fcffdcceb84503546a80026ba95195ae6c57c2dd92e56e36d069666859

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 26cec352918e4215d4cf2c96baf5bae8
SHA1 657c8df9a3fdb2fe40f5e0e1155a175ff6f60fa7
SHA256 89d5b8c148b8e911e40df3f88a3a5919383a12194f92224a52f3ca9bc06297a0
SHA512 04920b61526dbd33b58b1e724f208222e8e6ab3df3c2216018ab8897ca01a2889726e867ead056c531ce78888e10a92b98a726ea2a89c02ec3d42313a63026fd

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 ac4362369ad1a50d957e1e4e676fc797
SHA1 3da71c0eeea6fd549f13a31affcd1030a637ba3a
SHA256 fe6d93ef5aee464adab5ff43e352a24b98c90544061ce410cffa2476b7286247
SHA512 d74209f5668ce1e56e7121a97e75cbc5c685247e08f16e6a3f347654d3f96ede947647015f85ec8d2f3895978866b0abd6c0b5e227d4ace25ca0c80816a165f3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 f16af117bee2094478561dff033c9129
SHA1 f03cd847c5c8d96d791e6db123f43f137482a5fc
SHA256 ae7c57417bef45106a2cd08acc2048411accab65cf12abe171b24fdbb9325754
SHA512 9a1cbb0f0b24620263ea571c8c53549365f5993bcbdc6c2b9b994089baa9001682f760576049e02957aaa905d9a71594253bfbc16df167728e12830e05e0dc73

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 3dad41de4dd52842c5978f583084df36
SHA1 f1d50603493ae3b2eec4efcd7d483cbed0687b84
SHA256 4d20976e397557d5813c1c370963056c71ec6dc6c761d9c8460108cc55fdc8be
SHA512 e455ade277e28f9920815dd969cc0f6a4a14231a5ae1175c478885c0fda4713ab3b2adf8458254be947d4fc72677629898b6864ade057886569d03d448f4a7bf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 9ef173ac49f2662fc63f8d59bdc2f258
SHA1 effae060c17b90aa5a14962d59fa7507403673d0
SHA256 262517b4803bf2e1c82404832c3f811abdbddb0b16b4773c29d954e493ad818b
SHA512 f6e4f34e2134e562f3abc51e2690628bc25ddd810efbf089eac391b50cb7d57878922489fb944b7ce2d56ee92725d3bb8c99ac34720c4c7bd40cf99fbd3811d6

memory/4116-1182-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-2513-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-2614-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-2620-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-2622-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/676-2624-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/676-2625-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-2626-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-2627-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-2628-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-2629-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-2635-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/4116-2636-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/1176-2638-0x0000000000140000-0x00000000005FD000-memory.dmp

memory/1176-2639-0x0000000000140000-0x00000000005FD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 00:41

Reported

2024-08-13 00:44

Platform

win11-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\5ceef40c6c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\5ceef40c6c.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5000 set thread context of 576 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 set thread context of 1616 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\d6212392b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2208 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2208 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3540 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe
PID 3540 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe
PID 3540 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe
PID 5000 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3540 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d6212392b6.exe
PID 3540 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d6212392b6.exe
PID 3540 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d6212392b6.exe
PID 460 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 1616 N/A C:\Users\Admin\1000037002\d6212392b6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3540 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe
PID 3540 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe
PID 3540 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe
PID 576 wrote to memory of 4732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 576 wrote to memory of 4732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4732 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4732 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4732 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4732 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4732 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4732 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4732 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4732 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4732 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4732 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4732 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 2904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe

"C:\Users\Admin\AppData\Local\Temp\f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\d6212392b6.exe

"C:\Users\Admin\1000037002\d6212392b6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bcea04a-52e1-49c2-bf76-d7456733b3c5} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2264 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {493cf393-9661-4941-9053-14cc65e0df74} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2604 -childID 1 -isForBrowser -prefsHandle 2808 -prefMapHandle 1416 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c61f757-3269-4d1e-aea0-a17a15f6ba39} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3524 -prefMapHandle 3552 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a5d717a-9bc0-4b5b-914c-2f60d63aee7a} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4460 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4468 -prefMapHandle 4520 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c037097-5b50-4ae3-9391-3dbb7c6b38b3} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 3 -isForBrowser -prefsHandle 5640 -prefMapHandle 5584 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {029d0720-ce03-40b2-bc48-5e86bef5aeee} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 4 -isForBrowser -prefsHandle 5904 -prefMapHandle 5900 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1702e0aa-bb1e-49d6-8f01-9455c5d927df} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6044 -childID 5 -isForBrowser -prefsHandle 6052 -prefMapHandle 6056 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef636588-bfb7-44a8-8c2e-b42dcccab29c} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6244 -childID 6 -isForBrowser -prefsHandle 6332 -prefMapHandle 6328 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a38f64c0-e6a9-4ef0-841e-d581cff3c5ee} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49850 tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com udp
N/A 127.0.0.1:49858 tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com tcp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/2208-0-0x0000000000300000-0x00000000007BD000-memory.dmp

memory/2208-1-0x0000000077BF6000-0x0000000077BF8000-memory.dmp

memory/2208-2-0x0000000000301000-0x000000000032F000-memory.dmp

memory/2208-3-0x0000000000300000-0x00000000007BD000-memory.dmp

memory/2208-5-0x0000000000300000-0x00000000007BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 d27e91c1a583fbb0ad75d1ed0e071c36
SHA1 5d0490f1a41e7db58173b22e0987a580ef4948b7
SHA256 f0760ace23ca0d98085250d6ddc387f5ce3b883e32750fc50d2e6631029c0634
SHA512 55b2ba4d4acbd72e1dbcd8787d84428bf45c6907eedcc2ecf6592faec0227c760f599cffadbcdd81214037ad46d2c7668716a6b137814703c83e76b67981652d

memory/3540-18-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/2208-17-0x0000000000300000-0x00000000007BD000-memory.dmp

memory/3540-19-0x00000000053F0000-0x00000000053F1000-memory.dmp

memory/3540-25-0x0000000000AD1000-0x0000000000AFF000-memory.dmp

memory/3540-24-0x00000000053D0000-0x00000000053D1000-memory.dmp

memory/3540-23-0x00000000053C0000-0x00000000053C1000-memory.dmp

memory/3540-22-0x0000000005420000-0x0000000005421000-memory.dmp

memory/3540-21-0x00000000053E0000-0x00000000053E1000-memory.dmp

memory/3540-20-0x0000000005400000-0x0000000005401000-memory.dmp

memory/3540-26-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-27-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\5ceef40c6c.exe

MD5 e9f451fbd9478da22063ad6442b7645b
SHA1 dd8e4124804fb5f064fc990a25ac3c61e21cf58b
SHA256 64a837de134c3db432c0b4a3b02dbd67d72fb85a93fa709536af8660582ec030
SHA512 31a019ca16404674bf92a8a716d85cb25aae5e6257d1146c7dd08c08c468c784a35a3f798867d29c349ce61fc536f9357dfa5ec743e2de7e6620a5f4c0d00bdf

memory/5000-46-0x00000000735BE000-0x00000000735BF000-memory.dmp

memory/5000-47-0x0000000000B70000-0x0000000000CA0000-memory.dmp

memory/576-49-0x0000000000400000-0x000000000052D000-memory.dmp

memory/576-52-0x0000000000400000-0x000000000052D000-memory.dmp

memory/576-53-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\d6212392b6.exe

MD5 3ee6242a7467b2c61eb54c046cbe3f22
SHA1 2665e1c82be292d67de5f5b3b740c709d8515cab
SHA256 fd49efadc4c19544493788e57a9433cbb89b740ed4a20e5c7b969dcbcbb853c6
SHA512 c67cc3ee3203356906474eea9a265003678975af540da638ccbe788a47031d8aab35242c88d13792dcbdc4f4f02efacebd35b205f83d341e68584cef7aa3f458

memory/460-72-0x0000000000890000-0x00000000008C8000-memory.dmp

memory/1616-74-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1616-76-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\f6119aec5c.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1828-92-0x0000000000BE0000-0x0000000000E23000-memory.dmp

memory/1828-93-0x0000000000BE0000-0x0000000000E23000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\f49bc2d3-535f-4a7c-9ae8-95390735b66f

MD5 16c8f16f3b0d89e0e9a87fdc1abc49ce
SHA1 6c80c7ad5f96381384be839917af56da26037387
SHA256 1f6d5c48719bce8e5494a8647d995ad24615c0f4e03993327075f97e2151839c
SHA512 cd7a8352800427f7f3f98c053ea1f78abce1e216e8b8e9fc2175ee01efb63a905f84af88b8f6374c372da1bbd7c634963034cbbe999feb147bd7b47f86e4fd11

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\ccf378a9-9708-4952-be86-317115058d8d

MD5 9a7b99ff41aff4dc89ee5041291d0387
SHA1 d7418407e86e8a14c2f3523f3bfd736e38ac3f7f
SHA256 225f1a6e3c8a6eb835abf21e49f4edeeb84999cb9ebe6513cb787272f929d95d
SHA512 64f274b664ecef95210f7f8c9981638dab50f331a2c75f8c3b1eabf7cea2342894aceb7cf4c465e904695681683dba35b18ff19ab9dd1811af737ebfaaff782f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 acb1c20833f2744fd729b2b875dffa66
SHA1 acf500df22bbaaef1432033e53673f45b89b45fa
SHA256 343a70ce8674c326d2998e4771d22afcd8400123e72b82d3b3d8ba38f5200ae2
SHA512 8befb0ba1e808f99c8fefac8cd3ab6426c1442b426f57738766a68df10f0e5ff565df97f66d1a9600ba37ea60cb79b82fdbd0b170104071e080837657c99dea5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json

MD5 a42d45ef98a75859a2d7a1e3ba6bd5c4
SHA1 06227bed68e9d76b6f791da172e0ed2d77ceef5f
SHA256 d8444372162366254a573f9ab47983c922238895b05fae1cc26ac8da88c1a63f
SHA512 3ad91034f604e6bc7cb1f366128e876567fcfd36d290c0712cedb2d3425888cc3111b5510e14fc1defcbbc4138fb0710b8be0d018fca535913348b3e6208d468

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 225a4ea7593dd7081a415489d0a0623e
SHA1 da718d1b994195b29226f6faa1daddf13a8271fa
SHA256 55022b91b8752a7bc634b62e92499ef5de59ed7b812edc639859a706bee23743
SHA512 f4ef4d9fa659098204966f64e518e3bbbaa7a8d9aef97d197af32453c7aaab01dd799fd9bc3a2a653a49af70ada9c51426f63ea95d5554ea7aa4afbd8567ab2c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

MD5 f196da37b5356169eecf5afa4079c849
SHA1 ba3d90b394b03e320da33b3d319063fa2524fa73
SHA256 1bb51323d5d4bacca49762255224449f007a8b828a2f0261d17ff0610dffe550
SHA512 553900334176379ded879113c3ebd6e92c5307c1608ad458db3a49f7245069ea40c5f61d402d0113748f05b34b26c45afa6d1357d2a85c2694db7b4e05c68a5d

memory/3540-409-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-432-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-433-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/4464-439-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/4464-440-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-441-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 2bc4d74ee4af9fea558e0c2092489f80
SHA1 b2af36aa304f72a886ce4d2c978a1c57ce0b1e2c
SHA256 3f3b147836a98abfcf6821388a6ba2e220843686f3e4c8f2446773ae346dd961
SHA512 2137459552808c35bc95411bdb72be48b601f2c5a5f4b369167eedb97cda56f188a24fd433ad38fdc76c8b7d39c42d6cc135433f3d01af7599196d031e8af4fb

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 09b08586bd9377dd031754642ddd1781
SHA1 f8a921679f37ac1b54390d62f27eb1b7144d9cb6
SHA256 b38c50056d687aa1f4bb74172167650fe0f55c031aa74a208c0760723efdeb2c
SHA512 e69ce15b3058131df03fe2f7bd9a6d9495767db2aa56e4608f36938c4d3d98151f71205bed7af56560e0da5b489e864c3316f628ba578ba64b97355ecdea1b0c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

MD5 8a063e314ad28697f408932eaf606b6f
SHA1 9f408d5639795711edcc4fe81cdca0d8bb68b7a7
SHA256 dd95cc12ef8176889ff0f5eefa5fed2ab34ccdb9ac92ceb86b924f8256f6e137
SHA512 9e1f063493aa80fdb8da7b073e4ba9136233889949b7283caeceff75fd64ca8c7480865e013e8664e3ffc58d272cd2782bcd2b82e2e55ba93d9de5f3c0060720

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 c837bf8d0c32cf41c680922331b8677b
SHA1 cd2cf3892f8cfef8a28c123a826a5163eb84a8b2
SHA256 59541c7342c795a4ccb80a75ccdfdba6be709be3b3fb78372437731db460529e
SHA512 a963553a8a898b45cb0c102ab1064721d60c68fe8cb59eb0db6c43293be74549f7b21106e395643dc9f899bb2192ba14cd946b5aba7817a71d4baebc0a32e2ea

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

MD5 0ce571a9489e0e3d3d37808a0e239873
SHA1 df74df9598accb2109a3e264d911ebf96d8b659b
SHA256 0789970cc71f38213048aefbad06a4025d9c5b735cf53227e44ae177745bdf04
SHA512 973eadac90028ced16f7ff4f41e5ebb0cef2cdf5251a6572e17ee802a2a4ce5c1f54a00fced04fe71c9b4cfc861482d26cb1e66a80eaf22294a5943caf45b93b

memory/3540-1632-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-2654-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-2657-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-2662-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-2663-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/6064-2665-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/6064-2666-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-2667-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-2668-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-2669-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-2670-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-2676-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/3540-2677-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/5424-2679-0x0000000000AD0000-0x0000000000F8D000-memory.dmp

memory/5424-2680-0x0000000000AD0000-0x0000000000F8D000-memory.dmp