Malware Analysis Report

2024-10-18 23:43

Sample ID 240814-ys8skawflk
Target 3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353
SHA256 3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353

Threat Level: Known bad

The file 3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 20:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 20:04

Reported

2024-08-14 20:06

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a93744b8ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\a93744b8ba.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2604 set thread context of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 set thread context of 3292 N/A C:\Users\Admin\1000037002\db7b6c0123.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\db7b6c0123.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\39649ec401.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5048 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5048 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5048 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3276 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe
PID 3276 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe
PID 3276 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe
PID 2604 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3276 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\db7b6c0123.exe
PID 3276 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\db7b6c0123.exe
PID 3276 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\db7b6c0123.exe
PID 1592 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\db7b6c0123.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\db7b6c0123.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\db7b6c0123.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\db7b6c0123.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\db7b6c0123.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\db7b6c0123.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\db7b6c0123.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\db7b6c0123.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\db7b6c0123.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3276 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\39649ec401.exe
PID 3276 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\39649ec401.exe
PID 3276 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\39649ec401.exe
PID 2724 wrote to memory of 1708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2724 wrote to memory of 1708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1708 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1708 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1708 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1708 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1708 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1708 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1708 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1708 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1708 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1708 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1708 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4376 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe

"C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\db7b6c0123.exe

"C:\Users\Admin\1000037002\db7b6c0123.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\39649ec401.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\39649ec401.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13b350ec-e338-4876-ad7d-603442e418b1} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59af31df-7b58-4b5e-b1cd-966b0c62cf68} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3068 -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 2824 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8c9d5ce-f572-4ac2-9127-ebc5ff43b86f} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -childID 2 -isForBrowser -prefsHandle 3744 -prefMapHandle 3740 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9530be52-47cc-478a-9340-b0a61e4127cb} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4680 -prefMapHandle 4704 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {440aecd3-7983-41d1-9a42-881c349d48da} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 3 -isForBrowser -prefsHandle 5420 -prefMapHandle 5416 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da0c101f-028c-43d8-81a4-999b728f3e33} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 4 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9bec3c6-4503-40a9-982a-bd4d514c815b} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5768 -childID 5 -isForBrowser -prefsHandle 5844 -prefMapHandle 5840 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a5ff6b8-17c4-47c7-abf9-786f81e73baa} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6280 -childID 6 -isForBrowser -prefsHandle 5592 -prefMapHandle 6312 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {692c79e8-d903-4d5b-9276-bba96d16224b} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 34.42.82.35.in-addr.arpa udp
N/A 127.0.0.1:49946 tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
N/A 127.0.0.1:49955 tcp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 41.187.194.173.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/5048-0-0x0000000000480000-0x000000000092F000-memory.dmp

memory/5048-1-0x00000000773E4000-0x00000000773E6000-memory.dmp

memory/5048-2-0x0000000000481000-0x00000000004AF000-memory.dmp

memory/5048-3-0x0000000000480000-0x000000000092F000-memory.dmp

memory/5048-4-0x0000000000480000-0x000000000092F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 eaf416c90ff444ed0b55c70c423e1c0a
SHA1 60dddee8c051defe4e439b7106f300954eb40f5f
SHA256 3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353
SHA512 bbc11d0b7ef54a28c944432e3af074d4c8a66ec0e106984ad9572e4bad971ea28eb4f92d35db3a21c21acded829ad46642150fed003c1d1dbd377e65e6a56bcc

memory/3276-16-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/5048-18-0x0000000000480000-0x000000000092F000-memory.dmp

memory/3276-19-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-20-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-21-0x0000000000100000-0x00000000005AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe

MD5 1455ca37b9ee12a77d965f4d0014ae26
SHA1 a72c4c98e24103c7457a00f7ad4d570bded52312
SHA256 8eea3916c8ec653b4062907cfd2b75c603c702d7aec9c5c6f24e3938e9c7a1f2
SHA512 7ef355d4cdc2c43615d1dbd109ac82242cb4df17893fd3fd7badbb3c0db2880363f61c224fbf7a6fbbacb08a93c3094a564446a68513c5ccb1d19c429586b82e

memory/2604-40-0x0000000072FFE000-0x0000000072FFF000-memory.dmp

memory/2604-41-0x0000000000BB0000-0x0000000000D02000-memory.dmp

memory/2724-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2724-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2724-45-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\db7b6c0123.exe

MD5 4924d17b3246349a878b16de3e6151eb
SHA1 75528bddbe5f424abf64ef1b86753efc83c3dbad
SHA256 3556a15b9acd978f3b51523b566b2f7cf776955ff4eba992cf14db2b8a311019
SHA512 ad862b16e79c6d95d115de19cdaf8c0f8fa5a57734fbfee3e648c7360d92361ba21567ab4baaefda8f69f84bdea6933cbe0be36a164dde0bb7e28f374db49350

memory/1592-66-0x00000000006D0000-0x0000000000728000-memory.dmp

memory/3292-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3292-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\39649ec401.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2740-86-0x0000000000270000-0x00000000004B3000-memory.dmp

memory/2740-87-0x0000000000270000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\22f6e404-1ba6-42f9-a593-27d328872678

MD5 06866308455811e737a996f317cefee2
SHA1 a7cca78405346b4d589aba40c96bd421a4a439eb
SHA256 e6739eb32b80684c5b3ed5d7011bf945b74d735715f75f602505acd39463c2ed
SHA512 446b9f0cb2bc7530fc3e085e2557869dd7e8c3901eee0351a8f5ffe9349087197c2514efbf955240f29b2d4371e030fe8c8589d5e17b453702efac0354330d17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\897f45f5-deed-4029-9906-39614b2ea128

MD5 4ae918a3ee4999b26439011f597fdcdb
SHA1 8b41efca91d41c1d2937023673c894d206691294
SHA256 bf4315adfc360b821db91c1b31a9b47e8eac03222e51db95129f35d2634310bf
SHA512 632597f128138b89d4a17013219488378678254f4440648ad020416c2ed30eb347ba2cfcf42bd9f54b1f4f7a928c73bf99b7dc0889efb48c16ed09e858996ff5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\967b52e1-d67f-4d64-bbdb-5cef85757f32

MD5 8828bc97c194e817e80157a38b6e6f28
SHA1 495f6851f097432cb3e64ff3a1b2b5fd9ea8e8ce
SHA256 5f1dba693dae8206b850fbaf9db9c5d1f2ab2a340e189e7cdffd20b2dd370500
SHA512 4206cec6724e4c7cfce3d3da99275a58fc7af94d7c9982968e641a05e19add5b0079e7761268492988ac59a250382b2cba7ffe391362b1ce1ee131ebbe51fbd3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 2f3db92ad8f0234fc99e630b181b0cd7
SHA1 b2a7eaae6ab06b1ba9e83b309744a52e2035d9a8
SHA256 80a8c90802cdd1d0e672cca1b82e1ab3af2c7d7b3bded49dfe7166768569dca7
SHA512 09cab7195e5064b0a3b2e5c9762b08978f59bdf4bb1e9bb1633bbdb359bdd67d939280e84784613f4ace471ebec428e7464701129836ac0ef6f6af091d4e70ce

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

MD5 65e4269dca258fbb2c928eb010c7d4af
SHA1 7fac1a320756c61b8a735d08df62ecd7cd86bec8
SHA256 82ed03644813509af87772b7b7c7165100920e45aec4e469fb02c725f4db9210
SHA512 322ecf2a59ca2cab8f49a9dae3d9262750d4f10ce88fdd1de8021a20e2f46397cb9f8562122eb9f504fb7d1a59b19a30dea2b55aef58c3d57d8751cf0a49a4ae

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 431abcc8602d33febbda30da88d19b18
SHA1 5b0f72d42813d0292249d19dbfa317df623f5a66
SHA256 8a1c61dbc98ed709ce0ea85bbd4841f24ba223a701507eea9a44072fda0b58c9
SHA512 59ef5ef9ee9eb9c6fe7dd99d46a34c07e8ce1870b3f99e13b2f39db38359f4a7607ec00d87ca4dddeabd533ec4c661b3f998a67d0cde0287fbd15e7165c1eed0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

MD5 8738df1ebfef505d8328feac334bf2c2
SHA1 31719fef0ca3788c904c4a9fa31eedd283ba0f32
SHA256 bbda6e495d93559a0ed2211d06d615e98526efef33b758bce5779807ec753229
SHA512 3901f8f1568706695fb84c768afc1f26e04bba0b9e7879f6a2c74b2a2997155b6cf250d56f347ca09ce109814d98f02daf05fe63c2ae6134685b971b3eafe812

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

MD5 568a590aa4fa2487fb9a7be96ae7a7f7
SHA1 91756d1e01b81855382496b93f2bbf14a9ef5f6e
SHA256 64724ab62330cfe15abe453a0aa6cf9509f73ceca1f81d32ba5a1bd0f1c2925c
SHA512 7e5091d8deffc4b1abc217afa181cbb790a813d2c537e80998a39a0d789e8c801fa7597ac26c72e9a50f6c7feefb97f12d0468af7a348410e4315cfe1d65fe91

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

MD5 22e1e778970357f89551dd8197fb2cb0
SHA1 7ca9a34416d9a5f9453950912f6d8bc16b73d5f6
SHA256 b8277bb7608bd76255a34bf47bb52482c65cd95645bde39437770bd2b3f9213b
SHA512 7133ee66d1217c0023536f617f19a936faa0ccb3a5b9a8fc478bf0ba21d66dd82cb7a8e07ff29256312b25fd6e8b1c686897cb383c8a451f9c569be997cca0b6

memory/3276-419-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-458-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-467-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-470-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-471-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-476-0x0000000000100000-0x00000000005AF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 d1587951f66db6d0f976d7e045772aae
SHA1 3444cf46678d21e00a658fc9aa646c998d41bc78
SHA256 bbc567b7210dec2b2f2cec8230854b24fe8eebf4231d048ad37b3566acfed055
SHA512 1ffe84bf20818b43317f7c3177baa222ba2dc8f04527f2e70ea9833418a5a9a69e26efc0ea49d5fdb8c5bf412385ea1a9e4c148c803bb210ae9a85e62324d242

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

MD5 c29e4849c845161225632723b0b79f9b
SHA1 030cc9d69e14c6b0a136e1c0cabc9f235f587453
SHA256 18b208903cc04535072bbf8ae10d7b49159034729cf900a877cc55de5d33522d
SHA512 211347291c16694167e1a72ce8b27453dcd419b8779c043690c33b61038cce089fc813350528c3e61bc28e663a1f8b909c74ff095970dd8f641a5a2f3094eb49

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 a05c8d3c97e673e9d7c4f933f029eb77
SHA1 a02a7ace28d6e2f7d677c5eb382fdac53127e58c
SHA256 0d17755b17c4cf8deb2828ab207a9d345668b808a0736509e008e8f136eacdbb
SHA512 ec2873834feb729716496dac794315735f505af5fb33fed8d20a3d0b5feff2ea0071b6f2c6ce7fc88435b0bdd7c3a852df4329b8f550e7ce036490b28fc09e14

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

MD5 5c424ffc63ca962898eb0ef482cb2679
SHA1 bc79b5ee949bfb58cd76fca3da53f9e7c8b211f9
SHA256 08ec6fe5c0d9422b47b91d1592c7ec99dc3f88efaae02c4a6814ebf2a27ba1e8
SHA512 bf312821f56e9112aa0501bfbe91894cc7810ed21cc83d69ef381a0dc9ffe01086746b2c97dd5c557c3f85ea0b515dd5336d69b6ca005fd0e105172486585a4d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 2238ebedc61179caf8266f70fc575873
SHA1 f63804ba14187ce2215bbdeacb05c27a8f39d4ee
SHA256 656133fc85af6e0fcdecf8cfe0538cd32eacbca153c1ee7c4c5291fcc28667f9
SHA512 0d55387add41fc1296c990fe6c422ece533afc207fd8502dc4aeb5b768b7e0081d2df4c46d697619ae24262fd4029ee8fc0d50b9633061cee46420ca19dc2c1f

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 c231227de80a9bcdb6a1303fcbb3f4e5
SHA1 e734db93eb0f2c831821d21de8a5d4c13c5ce3fe
SHA256 02a41269cd6d7b928e18372df213d2fa9ab20cf786aa79032f6476b52d913505
SHA512 3168b5d25baa95d57acc50c57336e46d31a12b5e163ca39c075668bc6faf19d5cb1034d57a3c0eb59c021f4bf01705eb3be3a10b510761b69676a4bb2b904a31

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

MD5 0832ac709c3bca7d9c91ee34f0b240c1
SHA1 997a25520ee9b4efc3a6d9ebe2cd9c30051817b0
SHA256 15b5afab1fd7f3cc08948b7b614f84a9d438d0e23a59c6363fa2f3acb10d4de9
SHA512 8a523217c448eb8a3ee7e1ea7e2dec93055f221a9b58a2c3396dd32249dfcbb1db4b93718afae379797ffed0d21a8bcd4fd5c70fae256211ae6120903edc4245

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

MD5 69d18c893b3b652c18a9c277eaa41acf
SHA1 52b778aa7f7a654f50205c4d5aa3e0c34fbfc161
SHA256 f5be4072e9d8df5095f51629c43e858b182d969a4da8edb1eb12040e33d46988
SHA512 3df88421435396301aee182aebc63d57c3aea3e40cc9663e4b471f347c6e6ffdab42ac76a1f8ab32af48f37fedce552cc9b08b1120b92957358ef4635f45ddeb

memory/3276-871-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-1632-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/5612-1698-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/5612-1742-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-2617-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-2630-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-2634-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-2635-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-2636-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-2637-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/2004-2639-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/2004-2641-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-2642-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-2648-0x0000000000100000-0x00000000005AF000-memory.dmp

memory/3276-2650-0x0000000000100000-0x00000000005AF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 20:04

Reported

2024-08-14 20:06

Platform

win11-20240802-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\a93744b8ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\a93744b8ba.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3280 set thread context of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 set thread context of 2772 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\368f1ce836.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\88cbddcf01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4784 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4784 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4784 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3044 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe
PID 3044 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe
PID 3044 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe
PID 3280 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3280 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3280 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3280 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3280 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3280 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3280 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3280 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3280 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3280 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\368f1ce836.exe
PID 3044 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\368f1ce836.exe
PID 3044 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\368f1ce836.exe
PID 1676 wrote to memory of 3804 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 3804 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 3804 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 4476 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 4476 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 4476 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 4228 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 4228 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 4228 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 2772 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 2772 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 2772 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 2772 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 2772 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 2772 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 2772 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 2772 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1676 wrote to memory of 2772 N/A C:\Users\Admin\1000037002\368f1ce836.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\88cbddcf01.exe
PID 3044 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\88cbddcf01.exe
PID 3044 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\88cbddcf01.exe
PID 4024 wrote to memory of 1548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4024 wrote to memory of 1548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 732 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 732 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 732 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 732 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 732 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 732 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 732 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 732 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 732 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 732 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 732 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 732 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe

"C:\Users\Admin\AppData\Local\Temp\3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\368f1ce836.exe

"C:\Users\Admin\1000037002\368f1ce836.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\88cbddcf01.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\88cbddcf01.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1880 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d02e36f0-fd6f-4691-9afb-b27500e91848} 732 "\\.\pipe\gecko-crash-server-pipe.732" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2320 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a7841fa-85ad-4e2b-b5b7-2bba7e75903e} 732 "\\.\pipe\gecko-crash-server-pipe.732" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3136 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {919f499f-1321-468e-b1b6-7a00319571a6} 732 "\\.\pipe\gecko-crash-server-pipe.732" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3540 -childID 2 -isForBrowser -prefsHandle 3056 -prefMapHandle 3208 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f31e82e8-2323-477b-8ae5-ca27657a5d1b} 732 "\\.\pipe\gecko-crash-server-pipe.732" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3796 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2552 -prefMapHandle 4396 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bf549e8-43e8-46a1-9141-ff99a5098dc4} 732 "\\.\pipe\gecko-crash-server-pipe.732" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 3 -isForBrowser -prefsHandle 5444 -prefMapHandle 5440 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18b3ab89-a810-4c03-b7be-ed9505b4f30e} 732 "\\.\pipe\gecko-crash-server-pipe.732" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 4 -isForBrowser -prefsHandle 5588 -prefMapHandle 5592 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4d57814-1288-4ac8-abea-4fc74b99776f} 732 "\\.\pipe\gecko-crash-server-pipe.732" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 5 -isForBrowser -prefsHandle 5788 -prefMapHandle 5792 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de63836a-feda-4ed4-b689-d3161ba03ea3} 732 "\\.\pipe\gecko-crash-server-pipe.732" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6248 -childID 6 -isForBrowser -prefsHandle 5620 -prefMapHandle 6240 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa847535-cd97-493a-8379-3152eb05e642} 732 "\\.\pipe\gecko-crash-server-pipe.732" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49856 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 108.177.127.84:443 accounts.google.com udp
FR 216.58.214.174:443 www3.l.google.com tcp
FR 216.58.214.174:443 www3.l.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com udp
N/A 127.0.0.1:49864 tcp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
FR 216.58.214.174:443 www3.l.google.com tcp
FR 216.58.214.174:443 www3.l.google.com udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
FR 142.250.201.174:443 play.google.com udp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/4784-0-0x0000000000550000-0x00000000009FF000-memory.dmp

memory/4784-1-0x00000000773D6000-0x00000000773D8000-memory.dmp

memory/4784-2-0x0000000000551000-0x000000000057F000-memory.dmp

memory/4784-3-0x0000000000550000-0x00000000009FF000-memory.dmp

memory/4784-4-0x0000000000550000-0x00000000009FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 eaf416c90ff444ed0b55c70c423e1c0a
SHA1 60dddee8c051defe4e439b7106f300954eb40f5f
SHA256 3fbd0ba89609ebbd34e91506cbff650b7a000ed9fd4566c4903c548df2355353
SHA512 bbc11d0b7ef54a28c944432e3af074d4c8a66ec0e106984ad9572e4bad971ea28eb4f92d35db3a21c21acded829ad46642150fed003c1d1dbd377e65e6a56bcc

memory/3044-15-0x0000000000370000-0x000000000081F000-memory.dmp

memory/4784-17-0x0000000000550000-0x00000000009FF000-memory.dmp

memory/3044-19-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-20-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-21-0x0000000000370000-0x000000000081F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\a93744b8ba.exe

MD5 1455ca37b9ee12a77d965f4d0014ae26
SHA1 a72c4c98e24103c7457a00f7ad4d570bded52312
SHA256 8eea3916c8ec653b4062907cfd2b75c603c702d7aec9c5c6f24e3938e9c7a1f2
SHA512 7ef355d4cdc2c43615d1dbd109ac82242cb4df17893fd3fd7badbb3c0db2880363f61c224fbf7a6fbbacb08a93c3094a564446a68513c5ccb1d19c429586b82e

memory/3280-40-0x0000000072D9E000-0x0000000072D9F000-memory.dmp

memory/3280-41-0x0000000000A70000-0x0000000000BC2000-memory.dmp

memory/4024-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4024-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4024-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\368f1ce836.exe

MD5 4924d17b3246349a878b16de3e6151eb
SHA1 75528bddbe5f424abf64ef1b86753efc83c3dbad
SHA256 3556a15b9acd978f3b51523b566b2f7cf776955ff4eba992cf14db2b8a311019
SHA512 ad862b16e79c6d95d115de19cdaf8c0f8fa5a57734fbfee3e648c7360d92361ba21567ab4baaefda8f69f84bdea6933cbe0be36a164dde0bb7e28f374db49350

memory/1676-66-0x0000000000420000-0x0000000000478000-memory.dmp

memory/2772-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2772-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\88cbddcf01.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3580-86-0x0000000000520000-0x0000000000763000-memory.dmp

memory/3580-87-0x0000000000520000-0x0000000000763000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\e9446234-9fa6-498a-b65f-f72e8ece205b

MD5 9f76d6530c651ba1ffbf8cd90a8625bf
SHA1 e438bbc1cdc2b97d7848787ee70cd680d16fc5e9
SHA256 0d92bc7b028e9df3c55f63a37c1b06d9286127cdf2cc3d6e131b21b4aa009e67
SHA512 3b6c84777fb87554de2c0fcdb4153bde9810a2a58b792fe033174669237cd3f30c4d692d2246c38e4f03bebed5178ad327d4c45a851b0647e2a1cfb044c8413f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\2524afbd-1565-40ed-af87-6a464be82d20

MD5 b3d03bcaae7299dfecd3a9274745f972
SHA1 3b09245ff2a6181628ad7329eaea062273d6c04e
SHA256 4ebb7a15ab46f03a3a5b8588d7a1d322c0fdb9e16ad9e7bdd42dda6978688c8c
SHA512 7698d5800138c9e699cc93307b1da24107a8a4a9a23ceca99752fcf463f404ea61127d3f2e2aa2084831e7dca72566de1371a3801321edc8e94a6a7ba930ced0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\48d18167-d001-4d65-8949-075e21caed10

MD5 9a1ddf5448417f14103bc158d842b649
SHA1 0142e6e5eb82146f8a0d2afa2aaae384c9ec3564
SHA256 b7fd82dd93ac11fcece89829830b0708649d385e3b2c3eb4ef4c6250612e73fe
SHA512 c0beccd9e1cb3b7e1b70babb6a2049f8c186a286ddd131e50b2f0323a5f09c4ae455a0413a804b0afe35ac5eec511a4287533c87c9c8477b4d081aeaccde3ffc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 b86c8f92b51287985e97a7142eb30a86
SHA1 9cd294a390a00a6f8d06859d3d6d72b1c1319f77
SHA256 af4527044f6307c3c68187cc669399bd07d0d3dfdd41c459cb0764a4a36193ce
SHA512 9080c5a9f5a1237b4655d60dfd385757aa0f066d2fe634b18c23279cdc3c8781f65604e39e5f2759178ae2cdce2ac0b5fc3f44e7c30bb321269289e479a69091

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 fd2389cf1482670067dd1a094011af47
SHA1 7dd04329353b10fbba9b889df191892b36583206
SHA256 480b17f74ccec78bf16a48b6ce91cb5d842a2c2135771ba293275f547b95a665
SHA512 b85c34d6dd094d49083903b0f3a4ac2435f4642d37851e25a38b976ea888dbb7387c4c79a8e46ada93490d78f585ccd8e9b648fe1625ea8ebddbc656072e95b3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json.tmp

MD5 a88f982d2f74235968910a20a1ba57ac
SHA1 d1d141c6a7d8e92a6f9968421bd8f5b6581a7e43
SHA256 8ffc51379628f893b7ebbf5635dac57da8f44dc139dd5d456f96ef4968a96997
SHA512 18840565f5c4b8ffc5d570d07484dbdd43131325caabe0c1b80c4be2b5efe3120b41c541b3a8ebbefcb79e82def3a77712bcf9a606c786e5326a2b874fafedbb

memory/3044-346-0x0000000000370000-0x000000000081F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 4f88ba0560e884acf29604b1e9b536d2
SHA1 dfda57ba48beec3953378662a522dde7c1c4050f
SHA256 4e65ca7061fd4452fab51f0b1196357ad572158f5d35b869d1bb2bbee558f401
SHA512 c8e0e4e6d08f668df5c288d8c93de559bcb4249ce33bc2a2a3212db04984f39c69ef84c64ea041824ee44ebb03454953f72d1272c43111cff898cd8b265ff2e7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 e027195db7c00555def7391f229d3caf
SHA1 9b7871a864965b06b6bdfb18e867d446da708c7f
SHA256 632f9ca895a757bce497e07d24c239fa3071a0a09bf620f181be3fa0452a6ae3
SHA512 afd060a805337f1a85f46de53e6f32b8c1d130cbbb1ad65c56601561cba59eba0169ff34014770ab763b5317b391059ce5d72deba0e63625a13e366be5e5779b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 1476864439f8bebfee81b21d50da9474
SHA1 cf10a6fbb23d4a52ab8f726661b77e8fad2ae7a5
SHA256 cee69f3346188395bd74d9d2f13d4c6a0e1bdbdeab7387161398e698eecdd201
SHA512 f75e4ec188e175f25842c9de911077d1abdb70b46c27703e7c41698efac03136f5f60a8b2463f8db27ae76fa44e375b470449ea920c38a15c1b44a513697100a

memory/3044-435-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-444-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-447-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-448-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-453-0x0000000000370000-0x000000000081F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 20046602db0806a1a7ca7556bdebbf5a
SHA1 24f642c8eead54ebcd6cb4e7da46020238678e75
SHA256 4d84dd585382689b257195ce6d6ee1463a2f13d00aa90697f4fcab7102347d69
SHA512 b19ea81f5dcbac31d354984123804bba2a2697150a2fec85e90ef7136ba1ff00e61eb578292c899d455afd23d0e34789349e8a2ef190351ff99095a681cbb9fb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 dcb173e344259b5dd2ed28166569a50b
SHA1 66d00a4b7bcdc2dc3777a15fba1447e30dec3aa9
SHA256 19f91d7f249dc460425a0ea4411122e462bcae0c3b085f8b15fea1b30fc260c5
SHA512 29a6dc84d4ff3471a7602e6c939f1299eea1fa843ab7b2d51bacd2acb68863543b416c457b327f3b7556f3f8bdca5c91c03468aa19bdd6138410b0dea5b4b269

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 78886dc5b7072c0d38fc50512d0585dc
SHA1 5c70bd9b934fe1bc0a1826e53b064f191498b2cb
SHA256 39f23a95615094fba1ea5c93192eeb02b34570b9f568a55b9a7e1def2b0cf801
SHA512 aac50a29d7118137a4b662280f6bbb0c8f6a1b8471ad64ff22c01f937aefb35fe731059325bdab1ed7ac46798a2d48dcd5274a35e08083af662147a03ac7bb16

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 6bd6f572157cf03d61932b795fa3d91b
SHA1 d5376d2cbb5967956183b364a28135f85c9ff522
SHA256 cafc794c3ec6f9344bc1c7bc32ec2f9991e085fce3a5821680b3e41e29a8b20c
SHA512 aafea6ea55e1af0c8b0ec4626e4b25b12e9fd5f8f3d72935d35888ecea62845f977fb1b8c3dc32b47a7532eb998e4048a00221cfef04c1abe5eb61377e23d126

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3044-997-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-2250-0x0000000000370000-0x000000000081F000-memory.dmp

memory/660-2351-0x0000000000370000-0x000000000081F000-memory.dmp

memory/660-2445-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-2667-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-2673-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-2675-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-2676-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-2677-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-2678-0x0000000000370000-0x000000000081F000-memory.dmp

memory/956-2680-0x0000000000370000-0x000000000081F000-memory.dmp

memory/956-2681-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-2682-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-2688-0x0000000000370000-0x000000000081F000-memory.dmp

memory/3044-2689-0x0000000000370000-0x000000000081F000-memory.dmp