Malware Analysis Report

2024-10-18 23:40

Sample ID 240814-xtvfwstfml
Target bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c
SHA256 bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c

Threat Level: Known bad

The file bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence spyware stealer trojan

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 19:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 19:09

Reported

2024-08-14 19:11

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9d41b70e48.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\9d41b70e48.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2844 set thread context of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 636 set thread context of 4448 N/A C:\Users\Admin\1000037002\d982bf86bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\d982bf86bf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\8a48d19e10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3556 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3556 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3556 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4528 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe
PID 4528 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe
PID 4528 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe
PID 2844 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2844 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2844 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2844 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2844 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2844 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2844 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2844 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2844 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2844 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4528 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d982bf86bf.exe
PID 4528 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d982bf86bf.exe
PID 4528 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d982bf86bf.exe
PID 636 wrote to memory of 4448 N/A C:\Users\Admin\1000037002\d982bf86bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 636 wrote to memory of 4448 N/A C:\Users\Admin\1000037002\d982bf86bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 636 wrote to memory of 4448 N/A C:\Users\Admin\1000037002\d982bf86bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 636 wrote to memory of 4448 N/A C:\Users\Admin\1000037002\d982bf86bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 636 wrote to memory of 4448 N/A C:\Users\Admin\1000037002\d982bf86bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 636 wrote to memory of 4448 N/A C:\Users\Admin\1000037002\d982bf86bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 636 wrote to memory of 4448 N/A C:\Users\Admin\1000037002\d982bf86bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 636 wrote to memory of 4448 N/A C:\Users\Admin\1000037002\d982bf86bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 636 wrote to memory of 4448 N/A C:\Users\Admin\1000037002\d982bf86bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4528 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\8a48d19e10.exe
PID 4528 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\8a48d19e10.exe
PID 4528 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\8a48d19e10.exe
PID 2796 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2128 wrote to memory of 2624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2128 wrote to memory of 2624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2128 wrote to memory of 2624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2128 wrote to memory of 2624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2128 wrote to memory of 2624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2128 wrote to memory of 2624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2128 wrote to memory of 2624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2128 wrote to memory of 2624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2128 wrote to memory of 2624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2128 wrote to memory of 2624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2128 wrote to memory of 2624 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2624 wrote to memory of 3144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe

"C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\d982bf86bf.exe

"C:\Users\Admin\1000037002\d982bf86bf.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\8a48d19e10.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\8a48d19e10.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d9f3415-f276-4699-be42-9e2ee2d3d90f} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94723443-d4c9-4c26-9f5b-7e9ade616209} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2792 -childID 1 -isForBrowser -prefsHandle 2856 -prefMapHandle 2764 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0382ffa4-72ea-4c2f-897f-d10e40f3ee72} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3828 -childID 2 -isForBrowser -prefsHandle 3820 -prefMapHandle 2932 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {873ad807-f7fc-4d8d-ba26-6c807a5905c4} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4460 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4428 -prefMapHandle 1556 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b652f143-3492-42dd-8b70-6f0c58ea99f1} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5308 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8eb2608f-5a5d-4775-b445-3ca648222c91} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 4 -isForBrowser -prefsHandle 5468 -prefMapHandle 5472 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6029864-0c75-418b-a43b-b4674ba2c1ed} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 5 -isForBrowser -prefsHandle 5696 -prefMapHandle 5700 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbfb52a6-a538-4cef-88d4-d0130935f023} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6268 -childID 6 -isForBrowser -prefsHandle 6256 -prefMapHandle 6260 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e860b107-b1da-4c92-aad8-7e07a66779f6} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 139.54.240.44.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 127.0.0.1:60849 tcp
N/A 127.0.0.1:60856 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
NL 52.178.17.2:443 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3556-0-0x0000000000E10000-0x00000000012D0000-memory.dmp

memory/3556-1-0x00000000779F4000-0x00000000779F6000-memory.dmp

memory/3556-2-0x0000000000E11000-0x0000000000E3F000-memory.dmp

memory/3556-3-0x0000000000E10000-0x00000000012D0000-memory.dmp

memory/3556-4-0x0000000000E10000-0x00000000012D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 51f1d63e0011310e16b9cc937dff061c
SHA1 689bfbd2b6fc118f96bb10ab74ab486685ffa2ea
SHA256 bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c
SHA512 b8a349620081882e69cdbddabf3c4add96e4397fdfc5c3c4548c678a435ae250614bae90d4e1c199c913d229e3c4fe1dba694851ee991462537b1297f03c114e

memory/3556-17-0x0000000000E10000-0x00000000012D0000-memory.dmp

memory/4528-18-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-19-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-20-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-21-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-22-0x0000000000A10000-0x0000000000ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe

MD5 f8a0a57e59145dbc07e9eea86c379910
SHA1 d8f641d14b80d262f999b912a8fb1a6735913885
SHA256 ba43aa294156e377ae6a0aaee5006b9af062533a1a6089ec873d5c091d706934
SHA512 ec556386c343c6db714b189bb404a1db161aa8d0c75768abff2a0755e21d3ac18b6212af0237dcb141d3b61ae665005bc53dc162a5bf47d49b67fbb27e5e726c

memory/2844-41-0x000000007360E000-0x000000007360F000-memory.dmp

memory/2844-42-0x0000000000DE0000-0x0000000000F32000-memory.dmp

memory/2796-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2796-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2796-46-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\d982bf86bf.exe

MD5 44f3a5221b50fd602e29fd927f8b6e23
SHA1 49afe6aea1fa8ce4e6340f0b2a5f9cf50e07ca63
SHA256 2bc4046f376f48ec3c3456cefa45279a0f187b3d5eef73768b48eafce424b807
SHA512 c50972890fd2bfcecb6774a0629d16ff55ba0f8a3006cdbcfb088e91cd538b454e23376fe29ac871590336ab54295e7d47b24f2fb67fc24ea6755f66a3316516

memory/636-67-0x0000000000C20000-0x0000000000C78000-memory.dmp

memory/4448-71-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4448-69-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\8a48d19e10.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/404-87-0x00000000000E0000-0x0000000000323000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 562b5492646acbe60402c5785024c5ce
SHA1 674151a7455be8b954b26250a775bff062f80d1e
SHA256 b45d5724ec16ffd4356999ab067b7ab2344af48819e7f3c37c79d4277baa63b2
SHA512 85bd5d570f831abbaa756006bb8aed1777967f2b1914dd8d7305a00fc33e6e93ace30f046d033afd7bbb1f40c63df5a435520e8330ced624d53cec291fc18f39

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\c7811470-66a2-4fe2-adba-4a6dcf78294e

MD5 37154926e2746c2f988f7a1b2ce2213c
SHA1 7b1c5544db432470fdfc05533a0fd1062654741d
SHA256 16aee2c3d6bc45dc9e8c1050ea30fab8f1858183e833d2bd53eafef041eb7b12
SHA512 0fb14744e07bd1c910441ebd03fa14e851448aa66684fab4e1b27c6f55c2ac508ab96f49075b9e282ffd1fd0ec545268d76c37dcf34990d8a41307e3ef2b1cdd

memory/4448-295-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\f4dca49d-f46a-40b6-ad42-e9f4b237f9de

MD5 508d25c448cfc3403f8c130d4b32aa80
SHA1 535398146da047e6dcfec7a0cc0a4dff6aec5878
SHA256 761a6d094d8330660e469f4fe2c53b7700c9eb4f9a6ef3f063f853a18c4bacd2
SHA512 fe74f43ff2708d2203e7c9c63731718dfa496e9d06f3c8114f0f74ae703ea92615d9018b77c6ab72a37f948464f48b9994af753f575c857e6b4c000b713caa00

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\68235e67-8025-4b8d-8b8a-7e78a18c854a

MD5 6b37f581acd38d704b9c7d0b7202a270
SHA1 cc8e77e0372f9420b439ffc5d79ec47c2b1ea536
SHA256 b3c24fe6ce9c239c61cb369add92332192b781c5608e831533fdb43ac985f751
SHA512 16aabea91f2f3d782745c98554c1113f28177f8ce1a6a9150e78f8985a3561e9497e57eea623d5b2ca683e7dd1a8fd3688e9bd76a300b4ea680adb5ca6814352

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 6d4f3c9d180b306a3bda5b7812c87309
SHA1 e13eeb61d56aa65cab1f52f4187f025bf4d51c57
SHA256 cd8b5b97df799d1aa34aead045be78b56d141c5cab7654b8e7633ed1831a26ad
SHA512 25602f1bd450f773745ba02617d622808e3931a9fdfee002ed9854b7c33f3e3c66bd05a7e5720b68e1e26cb7df588b91974973defd7c04f13cc6f011cd11c365

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json

MD5 571184869bd28e8b0668e339ea657053
SHA1 92a41fb561ec8a9f36a9b0668f1584a5231b9ece
SHA256 2597f1f29c60cfc79eb36c4d97a1667007404de8bd702b04642d0c3ae137b793
SHA512 e6eb8a8ddaa0455e8514e2cd6bb42f90799fceeaf5d825e483548605ff7bc730e246deab578d0474342d4439fb446e99abc2058c845b3fa1a3cb9374435c4a00

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 b3465ed433286593725423d4378aff69
SHA1 fc5ecac9c92cb70b8fc4ac8c5ddd6692b4f90d09
SHA256 4c67ad7f971c1478f6fdae2d272d47b55dbf84ddd04046d68337a43afc7bb84c
SHA512 0b828336e47e72ed01ebc09a04cfbc04fa8bd02753b70d6487148e8edad8bac35217e4c2a85d1efba41df344366ff7f8f2b4ef272d46a28418d805a9b26d344b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 eebeac55424fdb5988998b981a1fd11b
SHA1 7f5b3e0cb2cf86971456287f24abb329c276b87d
SHA256 0c010cc6b3781c1e44919cab3e5a38f9d0c4d802f6e4a968a8bdfa52098da816
SHA512 cedefa09d48136b6f8857905764235c2e1c9b125b2bb4bb6a349de8c684f5fb25ef7de6bcebb3dacb23a26386c413b2f730fd1cbb2ff0e58f0fe0349f8436f09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

MD5 1e5efce87b3bb424cc6a20d5c73daa94
SHA1 2ff849e4186cfdbe1a160626588f219895281f7b
SHA256 5ae2b8a933ae7ea3f5c1e8c105a4824e7c6fff7bff3b671c93f993202721c94f
SHA512 75bad99e9ae51433a5b835a26abde082aa683d16fa1d9f3697781db9f4b466959bf91f6bec16002a292f374a2b3ebb95453fe56e8d2ca3e533b5d7127e84ef59

memory/4528-468-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-500-0x0000000000A10000-0x0000000000ED0000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cookies.sqlite-wal

MD5 1e5f532023268c9511787e7ab220982a
SHA1 5a0cbd389ae5411211094a417e93a18e9c121c48
SHA256 7925b7dc661afa1ca80540c73b41a9a14dc34d2aaa097265d42530967bf3cd01
SHA512 3032b5c3a4e7287ba5f085a2cdda1965d803959f887a573825fb73bc922ff57129f73eff1389dc3ff0b06c85abfe65bdf627fb96f05fce850fa889a2139467df

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\formhistory.sqlite

MD5 97c1441748d6cc3e5a7030cda7543975
SHA1 f5598a45b101a5404126cd27fbb7f4b70861ee32
SHA256 2015b584b844b091d6a6280d45e9a589ea0feacf5f4b19bdd4cc21c60dbaaf91
SHA512 29d358ec7725038c6648251d8b9c32f3a40458e9c97926e0000ab42f0369b96d1ba5216eeb7c35800c740633dfd3b1e6e6aa73859644bdb9cdccaf2a3516bcb9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\places.sqlite-wal

MD5 60fd38d8914bcecd0c6f4041d5e060c0
SHA1 4de88453da67c1acca247eb71510e9894e276d23
SHA256 e5e484fa01a5cdc68db8a17b340d4f1e60deb1533dd86e0a49244c61454fb149
SHA512 9e1e6ee641a4d5343ca51660a208da0d4e5e406d0142be19bae2771230f08e578891a40482d702c3ab1956f8f9a88aff56df62a34606047bd023f53a84a69f9e

memory/4528-525-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-526-0x0000000000A10000-0x0000000000ED0000-memory.dmp

C:\ProgramData\AEHIJKKFHIEGCBGCAFIJ

MD5 6935d6a41f9f7ad69d3188e9a35c6ce4
SHA1 ee08beb81769a2b0ddfcf3a932274aa0fa3daf2d
SHA256 87bc43e0d2a90ef156315cf95497ea93314a86722db9bc834ede78181da530b6
SHA512 0df3f10b5de2d7679028456060b20f283a9edf70ec10d7723f99e3a62d789a20d4847b98a00f94cda365e7a29e750eec6c473d6bf0ec8f621c7a3424ba8ffad7

memory/404-537-0x00000000000E0000-0x0000000000323000-memory.dmp

memory/4528-538-0x0000000000A10000-0x0000000000ED0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 e51a1177239efa162dcc04291f06f10e
SHA1 577f32ce19fb0755aac6843482c99f262f54a413
SHA256 958eae9b1e6cae8f4630860cf85a9a8411929cf3be870ded749aed9c675ae98e
SHA512 13f8b47d5f973cf80299ba250cd997fb9939b238a413f1a57fcc3da62517a542a564d098ca40e367837612a84201dd17d77dac9f1f65f5fe1b999c3dcaf0982b

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 4ca52a7a03ab29c5699c9a1a8f8f76b3
SHA1 621bdeebfd8bfc12c86869e476a69a2f2840ffff
SHA256 703c9a2399ab9bd3605534e74cdc2714b1332f224a85a3121c75872ce59f39d9
SHA512 e7000160f86860a729acab6ad3a5686b636b77ced5dd8ff70d991047687dc8861fa1ec5ad8155c1d50a07c50e913b76d3dcea88c6cb25e5fc8b01546893f3101

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 85637f55fb6104400d9c61c107861ac6
SHA1 a0bb0d071ac57ccdc70cd874fef9bb6014eb6a81
SHA256 362750e815c4fc84dc3f20db7d0c9924d6f49ebb82d01f2e88c6c370d461cedb
SHA512 01beb4fb6609c880f61c20de16cc96426391cf91133cbce0eff3c99ab323ba44367d1056a6f7e121f97f5a32b1575a8b1aa4c379dd43bfe4cb9a0de3e9199b77

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 66e96adc83120b7d02ad6b1d6302cd87
SHA1 a6c4a48ff2d3240928fab8778aceae5636c91f8d
SHA256 12c4c83c0ba5726d537e4b314942016ec31ece1757dffda982a1cc33775b1066
SHA512 ca0598909ad459cf4a15fd4d2350fa171abe139cdd3dfcbae1ebff53c98d9a1cfa8fb35945553751771edc9479c0530ffa9056e5aa1037f3293b6df1a08a5ecd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 542042aa98251d96bf44b04354538db7
SHA1 15318ecc0d29a91f2aebbcc701cb27a3d36cdc99
SHA256 c955183db615d948378685b1ac19a1aca1d5cfa1ef0b305684bd934465b9d666
SHA512 5aa2caab2dff7116875ca4301919101c32d75cb187cce19b46c95ef2da3c7f0cec00aa574e2fb121af3937edd19550136f711e28c7986c3f576dce3ceb2615a4

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 3c1cf579a156bf8c70858692e07b964c
SHA1 3c6e8ab94ecabd1cacda69ff12865a90159371b8
SHA256 0bcdd8bb637d6dabef15b21c5e9c5e45c4f1ca79d01c2c2e7ecd0cc35be28127
SHA512 e1c0670b362bc6b5bdfedeb71ade4f2b88ca6f4884dba546df451fabba4713b422ab28a64180fe2c3dd4fe03d0ba25d3d2a77b51128b5d9350e069c0ec0c79d0

memory/4528-1148-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/6028-1609-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/6028-1652-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-2650-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-2661-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-2667-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-2671-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-2672-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-2673-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/5828-2675-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/5828-2677-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-2678-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-2679-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-2685-0x0000000000A10000-0x0000000000ED0000-memory.dmp

memory/4528-2686-0x0000000000A10000-0x0000000000ED0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 19:09

Reported

2024-08-14 19:11

Platform

win11-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\9d41b70e48.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\9d41b70e48.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4220 set thread context of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 set thread context of 4888 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\0174d3c890.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\8a48d19e10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 564 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 564 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 564 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4088 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe
PID 4088 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe
PID 4088 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe
PID 4220 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8a48d19e10.exe
PID 4088 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8a48d19e10.exe
PID 4088 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8a48d19e10.exe
PID 1916 wrote to memory of 1812 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 1812 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 1812 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 2000 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 2000 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 2000 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 4888 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 4888 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 4888 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 4888 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 4888 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 4888 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 4888 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 4888 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1916 wrote to memory of 4888 N/A C:\Users\Admin\1000037002\8a48d19e10.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\0174d3c890.exe
PID 4088 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\0174d3c890.exe
PID 4088 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\0174d3c890.exe
PID 3056 wrote to memory of 564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 564 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 564 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 564 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 564 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 564 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 564 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 564 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 564 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 564 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 564 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 564 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1768 wrote to memory of 916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1768 wrote to memory of 916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1768 wrote to memory of 916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1768 wrote to memory of 916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1768 wrote to memory of 916 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe

"C:\Users\Admin\AppData\Local\Temp\bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\8a48d19e10.exe

"C:\Users\Admin\1000037002\8a48d19e10.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\0174d3c890.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\0174d3c890.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1844 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {acc90ddd-f613-41bc-a073-1dc11983d1a4} 1768 "\\.\pipe\gecko-crash-server-pipe.1768" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9738bf46-2548-4d20-a434-01bb573c436c} 1768 "\\.\pipe\gecko-crash-server-pipe.1768" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3100 -childID 1 -isForBrowser -prefsHandle 3128 -prefMapHandle 3124 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be8bc953-bcfc-4308-a7ff-8339fa3ed82f} 1768 "\\.\pipe\gecko-crash-server-pipe.1768" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3860 -childID 2 -isForBrowser -prefsHandle 1072 -prefMapHandle 3780 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dccf7bb8-7b58-4a92-81a9-9f996b4a1833} 1768 "\\.\pipe\gecko-crash-server-pipe.1768" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1636 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 912 -prefMapHandle 4780 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3b6051a-ee95-41c6-8dd2-0057f0cfeb33} 1768 "\\.\pipe\gecko-crash-server-pipe.1768" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 3 -isForBrowser -prefsHandle 4284 -prefMapHandle 5612 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a279e46-08d4-4b7f-9a08-fb96371ec5bb} 1768 "\\.\pipe\gecko-crash-server-pipe.1768" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5896 -childID 4 -isForBrowser -prefsHandle 5796 -prefMapHandle 5892 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a53c1451-3746-43bc-88f8-a4f7286230d9} 1768 "\\.\pipe\gecko-crash-server-pipe.1768" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6068 -childID 5 -isForBrowser -prefsHandle 5984 -prefMapHandle 5988 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bebc5953-9b74-4f35-9455-d78be0fec795} 1768 "\\.\pipe\gecko-crash-server-pipe.1768" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6176 -childID 6 -isForBrowser -prefsHandle 6184 -prefMapHandle 6188 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ff7ac8c-52f8-49bd-acd9-a25d03ada96c} 1768 "\\.\pipe\gecko-crash-server-pipe.1768" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49867 tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 108.177.127.84:443 accounts.google.com udp
FR 216.58.214.174:443 www3.l.google.com tcp
FR 216.58.214.174:443 www3.l.google.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com udp
N/A 127.0.0.1:49876 tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
FR 216.58.214.174:443 www3.l.google.com tcp
FR 216.58.214.174:443 www3.l.google.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com tcp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
FR 142.250.201.174:443 play.google.com udp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/564-0-0x0000000000DF0000-0x00000000012B0000-memory.dmp

memory/564-1-0x0000000077CC6000-0x0000000077CC8000-memory.dmp

memory/564-2-0x0000000000DF1000-0x0000000000E1F000-memory.dmp

memory/564-3-0x0000000000DF0000-0x00000000012B0000-memory.dmp

memory/564-5-0x0000000000DF0000-0x00000000012B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 51f1d63e0011310e16b9cc937dff061c
SHA1 689bfbd2b6fc118f96bb10ab74ab486685ffa2ea
SHA256 bbaa6d9a443b8d2c74ac44dc498347db9b1286a931dc0f7c900e0570352af52c
SHA512 b8a349620081882e69cdbddabf3c4add96e4397fdfc5c3c4548c678a435ae250614bae90d4e1c199c913d229e3c4fe1dba694851ee991462537b1297f03c114e

memory/564-17-0x0000000000DF0000-0x00000000012B0000-memory.dmp

memory/4088-18-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-19-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-20-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-21-0x0000000000D90000-0x0000000001250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\9d41b70e48.exe

MD5 f8a0a57e59145dbc07e9eea86c379910
SHA1 d8f641d14b80d262f999b912a8fb1a6735913885
SHA256 ba43aa294156e377ae6a0aaee5006b9af062533a1a6089ec873d5c091d706934
SHA512 ec556386c343c6db714b189bb404a1db161aa8d0c75768abff2a0755e21d3ac18b6212af0237dcb141d3b61ae665005bc53dc162a5bf47d49b67fbb27e5e726c

memory/4220-40-0x000000007368E000-0x000000007368F000-memory.dmp

memory/4220-41-0x0000000000F50000-0x00000000010A2000-memory.dmp

memory/3056-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3056-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3056-45-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\8a48d19e10.exe

MD5 44f3a5221b50fd602e29fd927f8b6e23
SHA1 49afe6aea1fa8ce4e6340f0b2a5f9cf50e07ca63
SHA256 2bc4046f376f48ec3c3456cefa45279a0f187b3d5eef73768b48eafce424b807
SHA512 c50972890fd2bfcecb6774a0629d16ff55ba0f8a3006cdbcfb088e91cd538b454e23376fe29ac871590336ab54295e7d47b24f2fb67fc24ea6755f66a3316516

memory/1916-66-0x0000000000F60000-0x0000000000FB8000-memory.dmp

memory/4888-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4888-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\0174d3c890.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1436-86-0x0000000000280000-0x00000000004C3000-memory.dmp

memory/1436-87-0x0000000000280000-0x00000000004C3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\50bb0c3b-41d6-44fd-bcc7-ffcd3c156d0d

MD5 cb8fa63e4d8faf20a6adf43128fec7d1
SHA1 6b3ab6201378961576d3a3f225c57473a7675b8f
SHA256 b3f0b72df54d51a379aa04d53402fca8a1adae66f19f8d14d188e857c30ad229
SHA512 d0877393dd3320fb46a5ed4575368cf63d405d2200677a663057fe960d280df3ae47aaa5d57a61c53fe94877d94cd278f10975d1c4dba7f82dc1f4d0679550a4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

MD5 6e72a0d6ef96e902c992d8e26119089c
SHA1 ea9cf2ae5739a34a23e950fee89ba2cc5221c329
SHA256 1b5efcf08372bba12e58e8e61f35e12da4eed4d4bb534bbeac81f84decf7f05a
SHA512 3ded838fca82101e1d70c87c0f709b389b3382534665d75d0e17a508ac6f626498427f601722ab03aaf5da6f65c3300772ce3e647ae98e838f15e6113e53b39e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\625860f3-1fe6-4480-99d1-4bec930cea02

MD5 4d0222a0d61ce501326070a191805a5e
SHA1 03bde5ca46f947801378795e981c349be4164f24
SHA256 3b71de74bf9c8d737a6546b3e9de352a8d1ec9ba27d90cda714a937e91fea6af
SHA512 4cb9add0468e72610489f0fa11e3557d58e337c540e494e1d375b9c67d2f7feefe51c2a1b952f4fd83e8c3c34af379c2112493fd2bb7c68df6e5cbbc962dbb97

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\58be3d75-b62d-4a0e-9a7b-b4adcdf811ba

MD5 73575e4b2dfa85066bea5ff13c9a9920
SHA1 fd886bedb1a20da3260a01cf09927ebb83d7ac16
SHA256 5d34e2efda7757fc6ff4cbb8d390d89989764a1225f889ef2684e4db513d7d20
SHA512 0dfc8f1ba65b85b4d647dc87131229423a92784dff12bc8456bae563fbb09f03682a6ebe7d05eedf6f3d4378d701ea6bda07ce0391778ba0d16442aa71df842d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 3a8da9a972ea7e8ffd15b838dad113f2
SHA1 5da6edc83189798fe22cdecb553383cf4ec3f3dd
SHA256 afcf43ec0257cac65765543a46679f301d329b8451197b6abe1d2d3238fc99df
SHA512 c0d3fb9434e725226669b343c7a3f2342286daaf9b099fe07fc5c37788dba470d8984ed9bff773d2e7339a1da9ae3b3a1972c3704c403fec92a0deb101df2b7a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\activity-stream.discovery_stream.json

MD5 3e062633c98c192f464d5d43900233d9
SHA1 43f1f7ea91b56d480898c60e90287421d4cea4ef
SHA256 140060876bf869c1d1c68a75db82a37ef6d22a79c6e6a028eea4bf9615f6c941
SHA512 92912e0cd3ee950262ad3f4e59fec9d0f23784ababb1cc8089e63f65c4122e56342c26a95685710d404f1c39f7ebc50c928e31d34dfda5e343a09fc4784adbeb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

MD5 4600b91072aff79d04bc38b00416dd63
SHA1 e3f2d02b619916f730c5dc85feed10f2df60030f
SHA256 5de186b5083b6beb9ec10fe60fc7f62009e0d2f81b1d48484cfa74f4016a5e1f
SHA512 521d6ffeba29ca4269e7681103bbea6c6e078c01f056c9ff6fc1bc689f73472a365dc63a285720a411ffa10594aa942d98ec2de24554526de697f33ecb6d1765

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs.js

MD5 d859b0d0178c9cddb8bd0fb18fc39c29
SHA1 800202f1c546372f3392c368598560a9c118241c
SHA256 83597ced29a8c7eab843464ea1f320c8057e808f76a08127416d21ac982bdcf2
SHA512 c2cd3bf4de6b29b1883f7b9526073545570ca2756e50188861816c4442abc93f904f2b30de2e4974dcf368aff2c4ca96b048a7d6d23cfb28fdb0d97dc9f29e1d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

MD5 c0f4b313fe72a4e42fdd672dd6bca387
SHA1 6845111d0485a814d41756e5810f83fafb1eba8a
SHA256 361e1aced07a85614cf3bd0a8c1060e3411e85177d67e98aa13c04e3b92f0ac7
SHA512 8d25e2f1f1171983b6ec7357e41f9eba4d0ac6d24340df18da439b1f9ee78e94819caa8de6d23ff880210a8bcadfaa59ccf0a4191d5c3646c44854a93958bdcc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs.js

MD5 63497fefaecf5ddc6ec83a39fdfcdff8
SHA1 4f3d2f363af3156faa2baf7cdb5064aba71fcdb8
SHA256 5513b7e2f6b3111e173350d8dfc8d6f86ebedef35af73c399f48bd84fef88ae8
SHA512 4250a5f042b601bff45156d33d2652fad6d29ff2ba0135d8fd01116d226e5253518189af45e6b5a94eaeaedec7b97bc22cb90f9f7852d66dde64a372f191907d

memory/4088-433-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-456-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-457-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-462-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-463-0x0000000000D90000-0x0000000001250000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 6c6c516ff566f0a7246ced9b49c279e4
SHA1 fee7da7f4673c4db535bd4a466663dc74ddf1d41
SHA256 ce12bd050aef792f975620b06c10c15cf4b6e0f3bc1cb3a7df55ec8450382827
SHA512 dbaf0e442b138dbcb792b937daca821b57a25a51557f28ee13fd2bacc76585a6807981f11b2f8a5f3fb2a62eaf1b0b896fffd36c7a49b4e5b956e6d04e3e7515

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs.js

MD5 a42dbbf3d4e99ddc7285f21fcb6015e3
SHA1 422236b61f96096f43e903f53f0e9f66a427b4e7
SHA256 9e062074c00bd444837f0680d8247f3c2e3f16f9a00645f4750ed39d1e00db24
SHA512 aeb95cdeb26aac6e099bfb9ea10437ffec9775a6a5f6bb6d1b1bb3546723b7d8f7e3e41d1b09738fb76b5fbe0547514cf6df9e494ab796d62b516f9224f9c5b8

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 d63f4cd8eb44f01fd33e2c61846dd924
SHA1 e07c3cce5a677ac464736cd9fbec134e01a94892
SHA256 2482a65c9086f7b9a96c7f6467c347673f3330662fba353ace051abe221b69f4
SHA512 5fdfc50d2dac15fd69a010cb4ea9eceb962856cc1d458278d625fd252e7411e75545cc065a944e1680f7a4bac4b25f92e05537198a74167a86197ff4ec99de75

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 3c42cd9ebfd99fd91c614d271d6dd1aa
SHA1 5362ce9cac19e3568f44bea670265cc5ac20f464
SHA256 91a5dd838d21f5800a827088e0fa8667daa153d2b78b5ff6d592e88c373e6cc4
SHA512 fe2349a811e565a91a0d0bc5049adc49e6d66eacf3912b793d69d785b5be30954047d34af1258024ecfe151137fe677543f884c749f585dd7d0d21524e991cd8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs.js

MD5 aa9e06cb26ab82569b38467097de53ea
SHA1 16ef57a040a0b2d4648a8def8ee28d42517fa3fe
SHA256 6ae6a0c2b1fe762a7206e7e97a0befe45e280797dc615d2d4c86bef3abba658b
SHA512 8551e792e33ffb974bf2e1eb8a947fd28ea247ad98bc1e07f7b842eb68721ec877bd45c18e6c21cc18215fc661468a14f749a290a9305626321371f36890ff5b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 7d3f1d5b31947cf6c882b4907d6182a7
SHA1 41723d956cfbb6e818642e65201ba673a10b1141
SHA256 bb2a9230db595b0572f46593ebf8a19e543b7814713ab14a0bfe22d28ab40c98
SHA512 6c42b4be37dbe87159a0674a86060b6d74c9d5a743229bb4a9ba3c1ef8679ccf6afb0f74928ad6025d6ede913d0e552a5c6dd3eec501b3bf479bd6c6d48d462b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

MD5 a4e93ba85d8458617ad3130ea25c7a5f
SHA1 c558a7965e71cad9c12e798435ac5d66816875bf
SHA256 561a71065d008aee6510e6b5e4f70f71b37912d20a548049fcbfd3548d676b48
SHA512 1915b29bfcaf4bdf3893641a95fb3f003f1fd9c8072622db568737f564af6924d2af6d00479dcf449a0b8c20fb629e5978716e065703c887c28ccd290ae5202a

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/4088-1281-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/3400-1550-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/3400-1591-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-2558-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-2564-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-2570-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-2574-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-2575-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-2576-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/5300-2578-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/5300-2579-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-2580-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-2581-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-2587-0x0000000000D90000-0x0000000001250000-memory.dmp

memory/4088-2588-0x0000000000D90000-0x0000000001250000-memory.dmp