Malware Analysis Report

2024-10-18 23:42

Sample ID 240815-ebgg7sxhrm
Target b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09
SHA256 b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09

Threat Level: Known bad

The file b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence spyware stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Unsecured Credentials: Credentials In Files

Reads data files stored by FTP clients

Identifies Wine through registry keys

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Checks BIOS information in registry

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 03:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 03:45

Reported

2024-08-15 03:48

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1639a9e5e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\f1639a9e5e.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3908 set thread context of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 808 set thread context of 4848 N/A C:\Users\Admin\1000037002\b6920fe10b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\b6920fe10b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\4ee08a0885.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3768 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3768 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3768 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2384 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe
PID 2384 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe
PID 2384 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe
PID 3908 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3908 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2384 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b6920fe10b.exe
PID 2384 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b6920fe10b.exe
PID 2384 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b6920fe10b.exe
PID 808 wrote to memory of 4848 N/A C:\Users\Admin\1000037002\b6920fe10b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 4848 N/A C:\Users\Admin\1000037002\b6920fe10b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 4848 N/A C:\Users\Admin\1000037002\b6920fe10b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 4848 N/A C:\Users\Admin\1000037002\b6920fe10b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 4848 N/A C:\Users\Admin\1000037002\b6920fe10b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 4848 N/A C:\Users\Admin\1000037002\b6920fe10b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 4848 N/A C:\Users\Admin\1000037002\b6920fe10b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 4848 N/A C:\Users\Admin\1000037002\b6920fe10b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 4848 N/A C:\Users\Admin\1000037002\b6920fe10b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2384 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4ee08a0885.exe
PID 2384 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4ee08a0885.exe
PID 2384 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4ee08a0885.exe
PID 3580 wrote to memory of 4504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3580 wrote to memory of 4504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 552 wrote to memory of 4360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe

"C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\b6920fe10b.exe

"C:\Users\Admin\1000037002\b6920fe10b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\4ee08a0885.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\4ee08a0885.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31b69980-9354-4994-92fd-132cda0fa662} 552 "\\.\pipe\gecko-crash-server-pipe.552" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7280f82c-10ea-46f6-96fa-87b03fb25cf5} 552 "\\.\pipe\gecko-crash-server-pipe.552" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2848 -childID 1 -isForBrowser -prefsHandle 2856 -prefMapHandle 2796 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79b33016-d727-495a-99b2-b132d7e508a0} 552 "\\.\pipe\gecko-crash-server-pipe.552" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4036 -childID 2 -isForBrowser -prefsHandle 4020 -prefMapHandle 4016 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8a11ae8-9882-43d1-b387-119f54ba5c1f} 552 "\\.\pipe\gecko-crash-server-pipe.552" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4776 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3f512bd-c38b-44e1-83f8-e386ae34a3ed} 552 "\\.\pipe\gecko-crash-server-pipe.552" utility

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 3 -isForBrowser -prefsHandle 5468 -prefMapHandle 5464 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b273ff56-c47c-4061-8697-522c55c73ed1} 552 "\\.\pipe\gecko-crash-server-pipe.552" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 4 -isForBrowser -prefsHandle 5776 -prefMapHandle 5784 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d654a484-4465-4370-89d8-a489d4a9f3e4} 552 "\\.\pipe\gecko-crash-server-pipe.552" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5944 -childID 5 -isForBrowser -prefsHandle 6024 -prefMapHandle 6020 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {506ab9b3-43ac-40f4-9391-4f73d717af69} 552 "\\.\pipe\gecko-crash-server-pipe.552" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6040 -childID 6 -isForBrowser -prefsHandle 6140 -prefMapHandle 5936 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c03f90ff-3e5b-4446-9763-17e25feb0266} 552 "\\.\pipe\gecko-crash-server-pipe.552" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
FR 172.217.20.174:443 tcp
FR 172.217.20.174:443 udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
FR 142.250.201.174:443 udp
N/A 127.0.0.1:56767 tcp
N/A 127.0.0.1:56782 tcp
FR 142.250.179.67:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
FR 172.217.20.196:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
FR 142.250.201.174:443 tcp
FR 142.250.201.174:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
FR 142.250.201.174:443 tcp
FR 142.250.201.174:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-5hnednss.gvt1.com udp
NL 172.217.132.201:443 r4---sn-5hnednss.gvt1.com tcp
US 8.8.8.8:53 r4.sn-5hnednss.gvt1.com udp
US 8.8.8.8:53 r4.sn-5hnednss.gvt1.com udp
NL 172.217.132.201:443 r4.sn-5hnednss.gvt1.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 201.132.217.172.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
FR 142.250.201.174:443 udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/3768-0-0x0000000000490000-0x0000000000960000-memory.dmp

memory/3768-1-0x0000000077A94000-0x0000000077A96000-memory.dmp

memory/3768-2-0x0000000000491000-0x00000000004BF000-memory.dmp

memory/3768-3-0x0000000000490000-0x0000000000960000-memory.dmp

memory/3768-4-0x0000000000490000-0x0000000000960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 b0793df68563b6c6e89ec848478ad0e7
SHA1 0d4d1e949a624613448d2e8c8007185823408234
SHA256 b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09
SHA512 fc4cd0a359b91d8e9d5c07572abb57e6b0be58f502432018b6657615eceb7a3bbc633bf6b3ca8b40ba77899e3ac839b0d98b7adc160fbdb04226675548bad42e

memory/2384-16-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/3768-18-0x0000000000490000-0x0000000000960000-memory.dmp

memory/2384-20-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-19-0x0000000000501000-0x000000000052F000-memory.dmp

memory/2384-21-0x0000000000500000-0x00000000009D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\f1639a9e5e.exe

MD5 03dea3374e443f985819c31eca10560c
SHA1 44b963d221b2b52835ac389b41754873a7a48779
SHA256 6fbef0d57502a0dcbebe0c8bb1d592bbb03c605ec403dc67fc2f972e4fb91c05
SHA512 df33d2d8561895417f486ac6264bec591324f8e2083dab2783c5ad18035013478599b080d193bab601bcb77324502deebe01a44da4f413e335a0de91a45fc489

memory/3908-40-0x00000000736AE000-0x00000000736AF000-memory.dmp

memory/3908-41-0x0000000000E40000-0x0000000000F92000-memory.dmp

memory/3580-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3580-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3580-46-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\b6920fe10b.exe

MD5 b9725e6125233dee3e1feb1a5877850b
SHA1 fa69edc44d562ede0c1dbafe263a847c638dad60
SHA256 dd6aca77dc5c84918250f8c681a3a7391d0b6e512c763f9eaf4eb7e4c3695fd4
SHA512 5b1a9520b5dc10085756fd72a20de62f6f6ed48f1d76f7a93ebbf847a6c699c03121ebe56dadc1b0bf90855b7d446af47a46b3ce8527a07abd7457d62b4271d9

memory/808-66-0x00000000009F0000-0x0000000000A48000-memory.dmp

memory/4848-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4848-68-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\4ee08a0885.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3524-86-0x0000000000780000-0x00000000009C3000-memory.dmp

memory/4848-87-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\97577f74-cc78-4340-82b5-4b5eb18e1eab

MD5 94e38f38e7b3922560da68b6d39a0808
SHA1 add2e17b59c272da187a7e5614ac2196db9f158c
SHA256 cae61a2cc0ffe67d51ccba96d35182f37344cded71177114dffd9973731074fc
SHA512 f033d8a3e6d73017adb27aab9969173639d6fdd396f6b8e8fe7d74a72d9409a7707f37e5cb25acf48f46f2dcecd3ac4b9cacbceb9e7fa4a5413461d3b29e48d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 54f288557cbd07e68e223066016a2617
SHA1 c289d4caaf8a5b77ff7c96d757e331d50dbe416d
SHA256 1e5f35edaba9a833bb66ac8bdd17ee989f9ae9f9969d72dadfc427c189753105
SHA512 ae482d4d096663cae9fc05c3f66c0e89b4735189cb0c2cfd08159e4ff0d5884bfc6afce99b9b6e8b80d231a9e9d15c829c3ab144a459e0fee4cb9adbe8910d61

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\1e9b1115-7a69-43ef-844f-2468aa3f4b2c

MD5 e1cadd12b1bc1e7cb4e5b4aa205b68e8
SHA1 0ff358d63a7b6d959f637f0fa57d1b5b4a27f5c2
SHA256 8e8c00eb2e02cbf3ed719ce8d1c33d2762e6eaff95a7cc1a58949f23d8a5fb58
SHA512 d93a5cc4726741da84ed41432a9c54244d41dfdfa696ecaa2b587df1384f2aae4ee83dc6f4b92e63e4fd4e122f4aaf6438cd209bf0f7bdcd380ad9072d3f937b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 6a9879ba5f12fd1e972744f54577fa95
SHA1 07eae9c3a4f7fa413f0ff85e3da3cab192eeb17f
SHA256 6d3bb07261ffa6375626c47e213bf1c5b709d4a461991a4d2a5605261fffbcc8
SHA512 f1f31cd69c78af11bbc2aa4c1c973173c9f1252c10f8b4b6267fdaa5d230d2c4b6cf713ed7b3fc9be5d88abbe8f8e90e7cfafc1d9515c97c0ca0e5a2abf2533b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

MD5 d6e4635e35a6b3206748529893af64de
SHA1 e67256d0a546eb6e0f8cb4febb6eb448ce4a4d68
SHA256 7c19990d1cff86304f1a5baaf5c9baa55c1a3b5021eb786db0c068259eafaa0a
SHA512 87d3594c935e51de2d6c08fb2614f2107f29877727c6f5321425890566d974a0963755b880a9fe6c66162fc560d6b1e20ef22245200cf054337a0cd0ae77182d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 5cb7fc1322e25b63bc0bf45b43391384
SHA1 9aa0ade99da3c8bb15aa4e1cf4a62f81517f3699
SHA256 043f94c0f9367f2dd1cc95f846d67334a5b4a616145dceda1271232202e37cf6
SHA512 78d3ef4b777ee888f4b3c02f5bec7a9703712b1b50c37b45f67694635d5cc62d2a05c6b1134de195463fcabffc20c236c7df0712bf980fdae2f59f9c2c1c60f6

memory/5684-365-0x0000000000500000-0x00000000009D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 99ca8774c26116d52d00be3a8117ddeb
SHA1 3b7304468928d120cdbb2be9cce8350d8f6c7554
SHA256 fa718557e0b88c097681a1f4a36f7d49597c00885cfc0bcb60c1e546d0504329
SHA512 c5760478176beca3117593f6b676cb0a1ca1d14c35421bf038ba6a466cf88a9d5990497daa65b04b8fa12b607c0191dd3737b70852f1d0d250230a6be4e88b9a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 a7ebec34c18bd2506062d4444d62544d
SHA1 08437a9470e7d35d27ba2bf78677cf3bd4ebc83a
SHA256 060138c812efb8c53e4d4fae96da95da9204d133746f830bd9128d2855b5bfe7
SHA512 dcc8e00485ee91712fcfdb5f282369fe11ff35be370d28eea0c3e9a56cef7c6bd63b687826112a0b45319ef5d15769079115f8aa1af817f9960fb14093554f25

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 844dfa82fea602a34ba1ff74dbdebdc0
SHA1 024ae5598cae880f1a814f995a98c30771837cb6
SHA256 a6202c6a7169a3201a86f56e4450e842b0518a251ad381395546038df9d83b26
SHA512 11ed3ffcbb5b530797c54d5bc7e45335a8d379b7f33fb3247f638630f256f5654cce8f390e58e6a0cc8e976e555feae6454eee1390e522f64c70318718a72d41

memory/5684-398-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-452-0x0000000000500000-0x00000000009D0000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cookies.sqlite-wal

MD5 76a222f3fbad467ec31b820a50d28c9e
SHA1 19c8319ded64c91c3337e1cb729c3ab634996c97
SHA256 f81d0f4c67514eaab86f1417a24a701c4299d7bff645a0ec65f512aea16c9cd6
SHA512 018e50ded9b2262c6ab3237f980865e4556f9882afda253e01cf44de7088666d2d91a2a693c16c9ab6b04187f380763cef0314733cd91bc5b59615aa6355a056

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\places.sqlite-wal

MD5 4cc8d2b0c701118ba8a54b30211b315d
SHA1 50bb73979ca4a49ff052dcbca639d746fe744950
SHA256 ff475d904328eec00b6eec7a59009c396d00821cc1822218c85badfaf92f4f69
SHA512 f8844fa15c6f9f0a1fc6bae751acd22346988a7fe37f5a3368d59bb968fc946ea409f27400be5ed7a8faa39335e48771a5a7eacd779a8c43fdeac7f907ee8067

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\formhistory.sqlite

MD5 97c1441748d6cc3e5a7030cda7543975
SHA1 f5598a45b101a5404126cd27fbb7f4b70861ee32
SHA256 2015b584b844b091d6a6280d45e9a589ea0feacf5f4b19bdd4cc21c60dbaaf91
SHA512 29d358ec7725038c6648251d8b9c32f3a40458e9c97926e0000ab42f0369b96d1ba5216eeb7c35800c740633dfd3b1e6e6aa73859644bdb9cdccaf2a3516bcb9

C:\ProgramData\BKFIJJEGHDAEBGCAKJKF

MD5 ecd0b592afbd81e9d524229413e73918
SHA1 0c28ed6f0bc19075a4d8cdd8dad4c8eac1e96999
SHA256 23fe0adc370ab28e440ff5094afe9a303e5d79cd725a3a54c16d879467d30275
SHA512 14c00dbb19708d99f38962649a8f49fdf0bf7990bd4f7d83049dc0deb1b2b4bee97143d309e331feabf8e53c603cc783808586ac581103030930aa4c40eadf0c

memory/2384-495-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/3524-496-0x0000000000780000-0x00000000009C3000-memory.dmp

memory/2384-505-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-508-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-509-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-510-0x0000000000500000-0x00000000009D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 a1d47364aadbad4316828dce5eb9ab4a
SHA1 d32afacfa3712ac3d4e29210bba0353a1de5343f
SHA256 701d2c467a8d1600d0c4d1687baf5842ae5b9e8c8e5cc8a3bc7a4b94b02accba
SHA512 9e1bf2c9d549b54a7299aec089599e66fd58a68a4174e05bb1190a4470269a693eac2d82c783b43ebb08ec7332cfaf4aa93c3b00afaded4e67fade29ef5a82a4

memory/2384-528-0x0000000000500000-0x00000000009D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 d1fc6e2380cf8493df7df7ba1c133e06
SHA1 19baf1ea8b7f0beef08fb947cf4b78ff2837ae7d
SHA256 0e9b34962737f79e0c2106ee50b9c04b9ef1d7ee00eddb3499db9681e79101cd
SHA512 9551f356dde35749536f1ae3cb19844f1dec1d347f284b17c6c7d0d56bc304831107fc9d40340119cce7bab3149c1c7edfb0ce95c5809925cc86142aa3a382ef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 55e369a80a66a4a63a51a2bed8915f30
SHA1 8beef179425b62b1ad4eb0c5e84ca40049751aa2
SHA256 685b676698b321abc2f86498a4e37889088a4a03c45d8a65d1a99b761bc5c315
SHA512 15bde06a8f694ef7de2ac250b7aba59608bf71112a832f51e487f05e18d42a9055c6454b4836c825f231ab449776e1bc3b75941371f5aaf55bc9b4bc6cd9d84a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 ad4dd2252fb454aa0ed9f4b7b82745a9
SHA1 5329588a2025100b48f64b5c311c439d5ff6fa49
SHA256 458c1d70d904136ee530bf83f6ac93dff7d11f2ae9240d0b5d834c4dbcc5eae2
SHA512 00a4ce8e1ef9a60fbaf2fccfb98ffad20a66275ad98247ad59b1207ca2ecc40c0255f3e7ab2906cc3306327e9ab5bc17e0779a8c0c7a581e11a28b10b1ae6193

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 a33e8713c134cff4b28992e287ed500a
SHA1 b66453f6acbc4dd6c18fd1d778eb2ac78f1079c4
SHA256 18028ffd64a4d87eb340acd07fff22b8c2c98a547e6b37bc0c5988ea8fe4ff64
SHA512 4c2782aeba1e4d184f328159bc0d684ec9d005443911738aad46023a81b6c515c1f0d89f060cf89c2e1983ddb35be1b72e1aab02191f2608e907742d1a4fc534

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 b04297b43937f07b632b193bec353d45
SHA1 0b30ef3a8a2c387a79f2f86e86d8320d0764d5c4
SHA256 dae433c42d9cb51b2bcd3b601329c87986111a1ba78d758d5fa6c2d6ba9fcbd7
SHA512 a21e1c8a7b3d4359f87bf211f0875d41dea3099e71113077703e7696275834e1adafb3971a3495afc5db662dffd267cc5a478cb309cbdbfad1201ec892644627

memory/2384-1151-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-2296-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-2759-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/1916-2764-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/1916-2765-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-2770-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-2772-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-2773-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-2774-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-2775-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-2776-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2916-2783-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2916-2784-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-2785-0x0000000000500000-0x00000000009D0000-memory.dmp

memory/2384-2786-0x0000000000500000-0x00000000009D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 03:45

Reported

2024-08-15 03:48

Platform

win11-20240802-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\79005ad8df.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\79005ad8df.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5044 set thread context of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 set thread context of 4360 N/A C:\Users\Admin\1000037002\a97ffb87e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\dc1b820db4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\a97ffb87e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4804 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4804 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 248 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe
PID 248 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe
PID 248 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe
PID 5044 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5044 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5044 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5044 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5044 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5044 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5044 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5044 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5044 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5044 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 248 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\a97ffb87e3.exe
PID 248 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\a97ffb87e3.exe
PID 248 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\a97ffb87e3.exe
PID 4428 wrote to memory of 4360 N/A C:\Users\Admin\1000037002\a97ffb87e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 4360 N/A C:\Users\Admin\1000037002\a97ffb87e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 4360 N/A C:\Users\Admin\1000037002\a97ffb87e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 4360 N/A C:\Users\Admin\1000037002\a97ffb87e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 4360 N/A C:\Users\Admin\1000037002\a97ffb87e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 4360 N/A C:\Users\Admin\1000037002\a97ffb87e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 4360 N/A C:\Users\Admin\1000037002\a97ffb87e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 4360 N/A C:\Users\Admin\1000037002\a97ffb87e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 4360 N/A C:\Users\Admin\1000037002\a97ffb87e3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 248 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\dc1b820db4.exe
PID 248 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\dc1b820db4.exe
PID 248 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\dc1b820db4.exe
PID 1884 wrote to memory of 1080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1884 wrote to memory of 1080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1080 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1080 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1080 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1080 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1080 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1080 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1080 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1080 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1080 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1080 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1080 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4012 wrote to memory of 4324 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe

"C:\Users\Admin\AppData\Local\Temp\b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\a97ffb87e3.exe

"C:\Users\Admin\1000037002\a97ffb87e3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\dc1b820db4.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\dc1b820db4.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1900 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8391a761-eff9-4e15-9dcb-912881f7e316} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2404 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b403a29b-232e-4e87-8a2c-e1a2ea04ef21} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 1 -isForBrowser -prefsHandle 3108 -prefMapHandle 2756 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed872b4f-73c0-4e86-aec0-5707cce083be} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4028 -childID 2 -isForBrowser -prefsHandle 4020 -prefMapHandle 4016 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbdd4419-2891-41ba-a31f-f8fecaa37521} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4904 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4896 -prefMapHandle 4892 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38768ed5-2fe5-4f3e-91c6-a05278cac601} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 3 -isForBrowser -prefsHandle 5476 -prefMapHandle 5512 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a712341b-eeca-4930-9404-cf26787b5dcd} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 4 -isForBrowser -prefsHandle 5772 -prefMapHandle 5768 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3534fbd6-c150-4d77-9c43-5f03a00453c4} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5900 -childID 5 -isForBrowser -prefsHandle 5976 -prefMapHandle 5972 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aaf9843-3bd3-49e1-9f02-3ee2088547aa} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 6 -isForBrowser -prefsHandle 6100 -prefMapHandle 6104 -prefsLen 27101 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a89d07ab-3699-4cde-ad79-8daa078c37ba} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
N/A 127.0.0.1:49913 tcp
FR 172.217.20.174:443 accounts.youtube.com tcp
FR 172.217.20.174:443 accounts.youtube.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com udp
N/A 127.0.0.1:49922 tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
NL 172.217.132.201:443 r4.sn-5hnednss.gvt1.com tcp
NL 172.217.132.201:443 r4.sn-5hnednss.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 location.services.mozilla.com udp
FR 142.250.201.174:443 play.google.com udp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/4804-0-0x0000000000B40000-0x0000000001010000-memory.dmp

memory/4804-1-0x00000000779C6000-0x00000000779C8000-memory.dmp

memory/4804-2-0x0000000000B41000-0x0000000000B6F000-memory.dmp

memory/4804-3-0x0000000000B40000-0x0000000001010000-memory.dmp

memory/4804-5-0x0000000000B40000-0x0000000001010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 b0793df68563b6c6e89ec848478ad0e7
SHA1 0d4d1e949a624613448d2e8c8007185823408234
SHA256 b6fc70434c7ed986b972b80c4b19ead943118d05b9b3fcc97882c9a74e4e7b09
SHA512 fc4cd0a359b91d8e9d5c07572abb57e6b0be58f502432018b6657615eceb7a3bbc633bf6b3ca8b40ba77899e3ac839b0d98b7adc160fbdb04226675548bad42e

memory/248-16-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/4804-18-0x0000000000B40000-0x0000000001010000-memory.dmp

memory/1132-20-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-22-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-21-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-23-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/1132-24-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/1132-26-0x00000000009E1000-0x0000000000A0F000-memory.dmp

memory/1132-27-0x00000000009E0000-0x0000000000EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\79005ad8df.exe

MD5 03dea3374e443f985819c31eca10560c
SHA1 44b963d221b2b52835ac389b41754873a7a48779
SHA256 6fbef0d57502a0dcbebe0c8bb1d592bbb03c605ec403dc67fc2f972e4fb91c05
SHA512 df33d2d8561895417f486ac6264bec591324f8e2083dab2783c5ad18035013478599b080d193bab601bcb77324502deebe01a44da4f413e335a0de91a45fc489

memory/5044-46-0x0000000000620000-0x0000000000772000-memory.dmp

memory/1884-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1884-52-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1884-50-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\a97ffb87e3.exe

MD5 b9725e6125233dee3e1feb1a5877850b
SHA1 fa69edc44d562ede0c1dbafe263a847c638dad60
SHA256 dd6aca77dc5c84918250f8c681a3a7391d0b6e512c763f9eaf4eb7e4c3695fd4
SHA512 5b1a9520b5dc10085756fd72a20de62f6f6ed48f1d76f7a93ebbf847a6c699c03121ebe56dadc1b0bf90855b7d446af47a46b3ce8527a07abd7457d62b4271d9

memory/4428-71-0x0000000000FE0000-0x0000000001038000-memory.dmp

memory/4360-73-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4360-75-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\dc1b820db4.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3452-91-0x0000000000E90000-0x00000000010D3000-memory.dmp

memory/3452-92-0x0000000000E90000-0x00000000010D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\4c25bc39-04ca-48bf-8511-7cab93484900

MD5 a4b7ef159f5bc24464adfedd8b1166f1
SHA1 ebd410c404d4ca119e93f8d46f1dbb40d277554b
SHA256 46a01b63ab8fb2456891a1b06f0d9c218bc6961015e7b0c9fa3a9645de87a663
SHA512 06cb98a9c0d0d248613c67e8f8d345da9855503845027511e7386b3aa2e72c495934b70b172325fa61cb244bd8d840ab79e4eca9cae0f082a6293036e7be50ce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\692edcee-e6a4-4850-8092-3a2ca5409545

MD5 cef06387b3b885dffa1c4ebc70aeca39
SHA1 34375d53bbfa76c20f74092d45bb181778ca626b
SHA256 05345c327ace3025e56d480f9f95951d1ab5bbe271e0d0f8b8907b9bfb62e57d
SHA512 34d4f5dcb78e77e5e59164cf0da31de043ee172681ff6c0a36b4cbfa379821d5d95dc22f6c6a90c2bb78a4cbe6735cf2570e544440269922f1890891fe49998c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 ec28abdc9f73abbe17282a090bb581b2
SHA1 a7cec4a5ab0e174bb87c7b1435c7417689321212
SHA256 649bf262bc0ba56c8a00eab97a9e39e559b195856a10511bf67115d5f03d9c98
SHA512 e2fccbfd25d973917e563c2fb605f109158395e9f519c9163886933682a1973b167cb246f2ba9f50b3636e9f99bb5c78597217d68d9a5f14171efa6306427f33

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin

MD5 e8cb66fa5e7ea47c2d527613a759f789
SHA1 05f0fcfee4e489aebb590fdc328728f798bb5292
SHA256 ae98b7fd44e9b4e24d81d4de0173996a7bfd86ff3cfb980d373b60a02107008f
SHA512 e05bb8279c70778966c2449362fd0bc51898f9339d0af0b05e631157b84ef26716549d9f853ff5d467488e02ef4b171955e568ab1dfdfbfba932d002100236b1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin

MD5 48f5b9848159511471c06448bf0af945
SHA1 bc09c144d98b8cbc32ea2453676a1ce86a4d00f8
SHA256 b5f03725adad6bdb953261d9daaf968f9f15e157961cdf73fc7b43ac66e7b114
SHA512 0377af524dd0414beda9e52c29ff8c75856d468b6cccd44ca0cb608d8a6d5bb4b9303e45c012f873122b50c5fbc0d364e823aa037544b87d0b16f42a695a5d11

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs.js

MD5 e5ad804db29edd8acfea91c4c2b13f33
SHA1 27d049697ac01161b524e7767a668cae38a2fef2
SHA256 11ac016fcee27d9e46082e0b7aada7bddc98743599cf4b2f7c455a7870e0f5fd
SHA512 eeb87e477759f87f63ebdce63c0beb2f649a6508ec70a5c40f573423a15f5d0cea5d4709dd04d1f2e4bfd5144b11d88ae157544808a8b1dea80cd6ef7639f252

memory/248-410-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-419-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-420-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-429-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-432-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-437-0x00000000009E0000-0x0000000000EB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 0333783b0751e4e0f192a7225dae0b8a
SHA1 abc7b4f3df32ba7e3ca6dbaf1108e6fb5f9407c5
SHA256 1de1073df075f089273c8623ae7e97a6078ca16f4868f82c09f3d9ee70669095
SHA512 f525e1df05e15bbad2a11ad7a7967c3d91db7b4adc59ab48fca2850d6c2cd0078c3109050c960c71b3365a732c3ec61c9d69bf91b1d0aa1ff33b3f5ab81b93fd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs.js

MD5 4ea996795959ece12c4a83d63845ab97
SHA1 d09241cc52558aa83e318a55eed71d66ceaa7f1d
SHA256 3a408b9c82750a05d536e202d0370dcd6d56e67a47956498e8e17b13843fe4d7
SHA512 3ad8b9c934adba7599829a87b63b41813fe31dc310b4997817cf3b7a8c3a06d85f3405e247337bacf9863abe2fd90f7e0e01fc95666356f6fe52790708e1bef3

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 6d902274d3c48ad4c6e87906170222a5
SHA1 4aee4d740f8eace33fd2b9a6fb68fc859e36c8c3
SHA256 c93a208227e66439927fa1b210c7264286a43e493fb8704a48bebba7a85dbe54
SHA512 500363e2f088e0840c3223d7b601223b5f4691258de0f4f8413212ae9e88750fb9ed28732bd6f9b2d4d67dd020f1f72bde58f6a2e06394c2bc7007c231dc0234

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs-1.js

MD5 cade517ac00e177bca8d9f04f29aa7e9
SHA1 02edfb5ab586d8d5ad51d566b0b8b76f85117ee5
SHA256 4e40976c04081d766c1d23de39a901701c4175444d818adf60f5e2010081a6e4
SHA512 2d2d14c271494fe2f06300ce691fa56f0ffdc08fe919a9c309e7dffbbd8d7b32fe56a5d1c70412cd6e0403225c7b14069cdf7cb6606c085ff41c56947d24d2eb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 c8b4ab04f2cb0626f2109432b0cf1cce
SHA1 61860e6c20948398c0adc6a95c85f3180fba3047
SHA256 79ff4edb6ae7ced74f8ceb5ad665751981689184aa3e1e6ff55cc2df4675edc6
SHA512 cca6381a8c751155f3289af70d4e230b577637245e726a6c126b775115e377a2c7232ae120f5252af9215d6c68f47aaa85c80327cd29065cf3fea7499b505fc6

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 706387e24c549230d3bd629f2c3bd1ea
SHA1 5e3a7e7645eb67219300d906752902a41a2d1b10
SHA256 f0d149990b3a75f46b99af35a9cde6056c6ff698fa1586fbadf022d01031e099
SHA512 812d008538d3c75edf389079c4b09954e3423b35bec62ae6b3c6a96638bb195089a8a85f84039224af1762feaab59c1d5b5e6c4fb0f3cd6ac0d7a929295fd940

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs-1.js

MD5 0607c3ff27c2adda08452687f692578c
SHA1 7f4f369829e778eb5d09947015dbd238fc39e747
SHA256 e45de415801e207d73f3e8c9941625b192bbcc07069523a57a086db4217f82fd
SHA512 66324b27cb1af825394933f5ed6ad7f4dc3b8c076aecf224fdda4f0c20f95915e0b13faf556c84fe5bc900adb57dafa93820d5b2d8144e6c9a85211e9e06aa38

memory/248-1062-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-2412-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-2596-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/4220-2598-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/4220-2599-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-2605-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-2609-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-2610-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-2611-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-2612-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-2614-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/1524-2615-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/1524-2616-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-2617-0x00000000009E0000-0x0000000000EB0000-memory.dmp

memory/248-2623-0x00000000009E0000-0x0000000000EB0000-memory.dmp