Malware Analysis Report

2024-10-18 23:42

Sample ID 240815-mdx7qssgmq
Target 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0
SHA256 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0

Threat Level: Known bad

The file 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 10:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 10:21

Reported

2024-08-15 10:24

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e631a91209.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e631a91209.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1620 set thread context of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 set thread context of 4804 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\6d36ec8513.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4796 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4796 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 468 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe
PID 468 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe
PID 468 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe
PID 1620 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 468 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\6d36ec8513.exe
PID 468 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\6d36ec8513.exe
PID 468 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\6d36ec8513.exe
PID 4020 wrote to memory of 964 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 964 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 964 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 1380 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 1380 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 1380 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 2140 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 2140 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 2140 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 1740 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 1740 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 1740 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4280 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4280 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4280 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4480 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4480 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4480 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4804 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4804 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4804 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4804 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4804 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4804 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4804 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4804 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 wrote to memory of 4804 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 468 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe
PID 468 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe
PID 468 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe
PID 1008 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1008 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4608 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4608 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4608 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4608 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4608 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4608 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4608 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4608 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4608 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4608 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4608 wrote to memory of 2344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2344 wrote to memory of 2012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2344 wrote to memory of 2012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe

"C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\6d36ec8513.exe

"C:\Users\Admin\1000037002\6d36ec8513.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbdc14a6-c7ed-483a-ae8d-4a717918f9d9} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d8cd415-f2c3-49b0-b35f-e100aaac4070} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2764 -childID 1 -isForBrowser -prefsHandle 2768 -prefMapHandle 3084 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {700a5215-2532-494c-a0c9-e438b53eae32} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3428 -childID 2 -isForBrowser -prefsHandle 3332 -prefMapHandle 3404 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4001de8b-0514-4295-b660-ce2dbdae939a} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4720 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4708 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fa91c7b-a5ae-4647-8609-1934515261d9} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5564 -prefMapHandle 5560 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0731a7e-10eb-4ddb-b5a0-584ac6200d72} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 4 -isForBrowser -prefsHandle 5608 -prefMapHandle 5472 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {621e3b1a-5c3c-4a46-8100-7b08a9169e51} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5816 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5832 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0c3f063-338e-4997-8ca2-cb3ef26c47a1} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6364 -childID 6 -isForBrowser -prefsHandle 6252 -prefMapHandle 6216 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {204a64e3-0cea-4cc1-8551-d49c72a9d2de} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:57097 tcp
N/A 127.0.0.1:57105 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 139.54.240.44.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 38.132.217.172.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 52.111.227.14:443 tcp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4796-0-0x00000000001A0000-0x0000000000667000-memory.dmp

memory/4796-1-0x00000000775C4000-0x00000000775C6000-memory.dmp

memory/4796-2-0x00000000001A1000-0x00000000001CF000-memory.dmp

memory/4796-3-0x00000000001A0000-0x0000000000667000-memory.dmp

memory/4796-4-0x00000000001A0000-0x0000000000667000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 eb08ca426c0d2123f37fc72dd629dfb7
SHA1 a0e3043f563d7c1786c2abc250f32bac065ba94a
SHA256 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0
SHA512 de957c52cf7b51efd2be72361978b4222285c7a69b013ec85e9766839b076581581bcbd2e198b2a2e3cc85d833b9c48b0ab09b221c291d069c89231f3429ca8f

memory/468-16-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/4796-18-0x00000000001A0000-0x0000000000667000-memory.dmp

memory/468-19-0x0000000000F61000-0x0000000000F8F000-memory.dmp

memory/468-20-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-21-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-22-0x0000000000F60000-0x0000000001427000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\e631a91209.exe

MD5 2028fc2da0953fc19cceaf906d78edf5
SHA1 c1f5339f185dfa30385c0bb16a4a4a0a90e1d436
SHA256 89356f70821a7561ebd4c88c6d3c4610591154fd07804ac903e53ef3817887e4
SHA512 8e993895e854c302594a2246beaf87c9418ba174bfaba2b03834d56af71f32b53d65c55dbe11fb1acd660c551eaf1f17d6a8585d5892f4a83aca308ee5084399

memory/1620-41-0x00000000731DE000-0x00000000731DF000-memory.dmp

memory/1620-42-0x0000000000F70000-0x00000000010C2000-memory.dmp

memory/1008-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1008-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1008-48-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\6d36ec8513.exe

MD5 42252158d16167520a95adeab3eb15f4
SHA1 cf1786aa94bf1de5b0157a50d6d102847144960d
SHA256 d6f650af3380f2f251bb9b008939c070c9af647dd0b5ecb08e1f585142efe092
SHA512 46efad99f2bc8b4f08cf8c86fdff9d8b973e06c01ca14e822e3720760dc8622d75411b566efec18387ca9c7b8ddf7dff43dffeaa1318f4e8b92ef28914d40897

memory/4020-67-0x00000000000E0000-0x0000000000138000-memory.dmp

memory/4804-69-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4804-71-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2360-86-0x0000000000270000-0x00000000004B3000-memory.dmp

memory/2360-88-0x0000000000270000-0x00000000004B3000-memory.dmp

memory/468-89-0x0000000000F60000-0x0000000001427000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\f4c9efb8-f132-4d87-92c3-7419aa3c8f58

MD5 70138a7114c68ab31bf5b8d98f374288
SHA1 87bc121e539a67936508117eac629c728b1765c5
SHA256 b099c7c70ca3cd6a4f5204b7418906b4bd11dea10b802f0560505693b1c61270
SHA512 f93107719f9b4a6e109d58f337a8e2666ae20f11aac7673ba4b06a63b463d53dc4fe1b1b92200f548aa4249a4bee8cff9ec49f696dbb9b3872c34ed23a317757

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\5f912f65-362a-4c7f-8299-ea7c23531074

MD5 185114dba4f72ca61cb58bf153b271e4
SHA1 b1705d094ea67a543731545c75cad083956cf3e3
SHA256 1c9a50c4aa3a7e47ddb92c968cc006a0fb458898aa3e8204142363fb86dc235e
SHA512 d7e4ea75eac83a85515e855dfaa60dc2c7f62edfff0cd1da9a2995c444d10f22a68ae9a84cc4218d6aaf367584e0936486992ce6de0eda1274a73423c0a4692f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\5e900987-9821-4e98-a85e-93f5938fa8b1

MD5 de07ab266c27538500668c727a5c5dbf
SHA1 49b1defcea38cd00333042c6299ff8ed2deff9bb
SHA256 b5bac9c4e797a1d63036a54ea2049fbe2d2774f3a2a08daa159648a4d9073057
SHA512 f67035aaaebcab2afb722f365252bfb2ec155dd049d62bb10a77f4c34b58711c6bd1b8cca45249848df8b6c4f2c6a021b7a422be77b02268bd41ca63287d17ac

memory/468-302-0x0000000000F60000-0x0000000001427000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

MD5 d5d2cf18ce4b5ea963f8229acf75d3cf
SHA1 481f4193a0a99698ad022a59102a938eeaac8e9f
SHA256 833d53fa8fb30a844a49c7982ce14bdd1afb07c6b05145d7816067541ff87931
SHA512 42408a81fc7ac6ab27d59d48abe88adde74c7c0c0c3999dbba63808c2723128602d636e5f9b46d22d63374571e4a67de20844a405628a2c61c504613f88b35fb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

MD5 7bc65505d22593472a9bd636bad18911
SHA1 1673db16bed0553e96e70e1c259aa824991828c0
SHA256 a1376356f89d87153b56201bb7031792c86a94b75d466f98906ad49967df651b
SHA512 07bb0e51d0193ed9d6cd256f5ec0d37df4b1b0a267e821a40b5b9d8d4b1d6e742b4dc0110e17c3556cf04b2e0dea336e5d721f9ebd4b43a8f052d5fdac201beb

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\activity-stream.discovery_stream.json

MD5 858f928ec5bea0fe145fa92663289fe5
SHA1 f3a663846cb14d1baa768c8d2069e2c93ee0ff22
SHA256 c379c384be7a147e877574f0e98045630b221b30db661c70da17fa252ccbbec7
SHA512 cf73b9a492e739787ad4417289881d0a4e4bfeb8fc89a1bbe9b80e9cb6bc533ed252f9f0a116a4278df70654aad52394efbf4af4b5d9e10a98f94edd7df7b9de

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

MD5 739db4a439b77d470c70757edfbfd2c5
SHA1 ab804607687ab2437151f2151259a2a5fa7ec6b4
SHA256 944f19c66837039d0106dc6da2271f32fd7c95dc18fa257ab51075838164ee23
SHA512 d187308a261ab74991284bead2c2d6f3e4b205f3cffcb51dc3104b96c9b9f201f3ca562db402a5bc05a69bf836edb8b3a319f7eca9b3977220fc12fac4401c07

memory/468-414-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-421-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-441-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/5940-442-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/5940-444-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-449-0x0000000000F60000-0x0000000001427000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

MD5 4254599bda5890800a42e493ccc3adce
SHA1 14801c08a7869e2fc91f448e417ea10763c06563
SHA256 f83581d541e438707baaca1a0e076c1af85f17dbd3d07335da315d95ab932d01
SHA512 95687ea9cd88848a142fbe4eea542a6efad7649fc45c9c16c1c14839ffb031567c5f218ef1d2776a1f532492b4ba3d397b2e608d9aa368f522fa23a082286172

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

MD5 5ec26a4d3d350e7010d29fb98f742f3b
SHA1 bcb38d3b5ded783fbf3398c21e69ae2c0af3faa9
SHA256 bbdd620e41c9463c7a7ce0a2eadf43c8d2261694fa011becbbc11e6853239a40
SHA512 3ba28ada06e4d5dd2974741d2d623ab1cdac3dcd720d91922bc135efbbdcff276e5657eeec50dd2f375593f8306f404351764827961eafc1a25af7b9a7c4b11b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 b642abdabf46d51d9fcd18b7765efc11
SHA1 56efa5543726b355e5b96fdae2f563289e0950d5
SHA256 60f389c39a7e0f7849de9829e987b8641845cda1e52d7e0ead4077feb1e53daa
SHA512 1a3adc79fdaae0afbbd17e2415e673bc741fffc80126851c18efbbc6a6f13a2df44ceff0969f01003cc431f46c0604315e5a6d8f54565564d9ec5b7695033f76

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

MD5 20b1315a1638684593e1aaee88e0741c
SHA1 02a5ff0d7253dec4ae5d03d0bdb62df3db878907
SHA256 a3e7c4c2bc53f9768042ef722f9dfa8a94c0ce58e5152a0c4d4ea56d37ee2a7e
SHA512 ce38c5a6eed816b67e153b2dda242bc68d82a0283940c1d85800fe412e7c4163b0cf7a2106e873d58d394d2cf41402cab1671a5ffac3a352ef8f9def9661191a

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

MD5 0a71be70bde36b00857507fb44ca528a
SHA1 0fad2d0ab52e6aca30087f3580c6a8d06a3c6443
SHA256 b15219d46c4a1e2167f370046a1c19e7c62090267e77c0b1d59ad181bc2b556b
SHA512 d4bffd9d7742638dc8d10a180c970cc2e3a3ab9b4e4e081486585b0ddc0ced904f97856aaf3bdc2fcbe1530a094520136f46d01e3db77f93653fd07236c2c63d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

MD5 87e14aceb3df85cc2d2a9aaac3b1548c
SHA1 cc1d6e5dcf8ee92acaa146f289fa0eb6ff7aa472
SHA256 cd019bf9a27ab9febd32c7ab9067fe89e50e118419263f111201c120f2103b79
SHA512 49cd604339362c8296bacb26ff3bbe8dad05b1ca4c9b44e8bb46a964d0e9562386a56c5c14930452d3465e77db4f82bb09307ae3dc66a76e6a9250552155d01c

memory/468-955-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-1540-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-2449-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-2660-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-2665-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/2092-2666-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/2092-2667-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-2668-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-2669-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-2670-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-2671-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-2677-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/5936-2680-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/468-2679-0x0000000000F60000-0x0000000001427000-memory.dmp

memory/5936-2681-0x0000000000F60000-0x0000000001427000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 10:21

Reported

2024-08-15 10:24

Platform

win11-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\e510a07eb4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e510a07eb4.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4564 set thread context of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 set thread context of 5988 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\6d36ec8513.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5600 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5600 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5600 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4784 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe
PID 4784 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe
PID 4784 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe
PID 4564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\6d36ec8513.exe
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\6d36ec8513.exe
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\6d36ec8513.exe
PID 1592 wrote to memory of 5988 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 5988 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 5988 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 5988 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 5988 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 5988 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 5988 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 5988 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1592 wrote to memory of 5988 N/A C:\Users\Admin\1000037002\6d36ec8513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 5196 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe
PID 4784 wrote to memory of 5196 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe
PID 4784 wrote to memory of 5196 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe
PID 1100 wrote to memory of 5332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1100 wrote to memory of 5332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5332 wrote to memory of 5912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5332 wrote to memory of 5912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5332 wrote to memory of 5912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5332 wrote to memory of 5912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5332 wrote to memory of 5912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5332 wrote to memory of 5912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5332 wrote to memory of 5912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5332 wrote to memory of 5912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5332 wrote to memory of 5912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5332 wrote to memory of 5912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5332 wrote to memory of 5912 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5912 wrote to memory of 232 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe

"C:\Users\Admin\AppData\Local\Temp\094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\6d36ec8513.exe

"C:\Users\Admin\1000037002\6d36ec8513.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a894e17-31b7-4387-a925-68d4f762a1ff} 5912 "\\.\pipe\gecko-crash-server-pipe.5912" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f97d830-1c50-43df-8bde-584333a0f520} 5912 "\\.\pipe\gecko-crash-server-pipe.5912" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2936 -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 2764 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5b597ca-85fa-46a1-af61-a40dd73aa3cd} 5912 "\\.\pipe\gecko-crash-server-pipe.5912" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3996 -childID 2 -isForBrowser -prefsHandle 4016 -prefMapHandle 4008 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe264ce7-193c-4875-b1d3-79f6c0eee48b} 5912 "\\.\pipe\gecko-crash-server-pipe.5912" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4656 -prefMapHandle 4620 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46863e36-c83b-414c-878e-ca9a867339ab} 5912 "\\.\pipe\gecko-crash-server-pipe.5912" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 3 -isForBrowser -prefsHandle 4624 -prefMapHandle 5624 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e9b0883-e387-4a28-b88c-ee733cc9f998} 5912 "\\.\pipe\gecko-crash-server-pipe.5912" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5792 -childID 4 -isForBrowser -prefsHandle 5780 -prefMapHandle 5776 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b8b3723-c9e4-4227-b3e3-0c7129c96245} 5912 "\\.\pipe\gecko-crash-server-pipe.5912" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 5 -isForBrowser -prefsHandle 5348 -prefMapHandle 5360 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02da0a5a-efb6-4c95-88c2-b5189215187b} 5912 "\\.\pipe\gecko-crash-server-pipe.5912" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6208 -childID 6 -isForBrowser -prefsHandle 6220 -prefMapHandle 6188 -prefsLen 27129 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b94cf3f0-27a4-4da3-8db3-a758330fed3b} 5912 "\\.\pipe\gecko-crash-server-pipe.5912" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
N/A 127.0.0.1:49894 tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 172.217.20.196:443 www.google.com tcp
N/A 127.0.0.1:49903 tcp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com udp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com tcp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 35.190.72.216:443 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp

Files

memory/5600-0-0x0000000000B30000-0x0000000000FF7000-memory.dmp

memory/5600-1-0x0000000077C26000-0x0000000077C28000-memory.dmp

memory/5600-2-0x0000000000B31000-0x0000000000B5F000-memory.dmp

memory/5600-3-0x0000000000B30000-0x0000000000FF7000-memory.dmp

memory/5600-4-0x0000000000B30000-0x0000000000FF7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 eb08ca426c0d2123f37fc72dd629dfb7
SHA1 a0e3043f563d7c1786c2abc250f32bac065ba94a
SHA256 094d41c0784a2aa7ace63455cf6b884667277855d6dd3c4cf9efdff3c5fab5c0
SHA512 de957c52cf7b51efd2be72361978b4222285c7a69b013ec85e9766839b076581581bcbd2e198b2a2e3cc85d833b9c48b0ab09b221c291d069c89231f3429ca8f

memory/4784-16-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/5600-17-0x0000000000B30000-0x0000000000FF7000-memory.dmp

memory/4784-18-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-19-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-20-0x00000000006C0000-0x0000000000B87000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\e510a07eb4.exe

MD5 2028fc2da0953fc19cceaf906d78edf5
SHA1 c1f5339f185dfa30385c0bb16a4a4a0a90e1d436
SHA256 89356f70821a7561ebd4c88c6d3c4610591154fd07804ac903e53ef3817887e4
SHA512 8e993895e854c302594a2246beaf87c9418ba174bfaba2b03834d56af71f32b53d65c55dbe11fb1acd660c551eaf1f17d6a8585d5892f4a83aca308ee5084399

memory/4564-39-0x00000000735EE000-0x00000000735EF000-memory.dmp

memory/4564-40-0x0000000000420000-0x0000000000572000-memory.dmp

memory/1100-42-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1100-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1100-44-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\6d36ec8513.exe

MD5 42252158d16167520a95adeab3eb15f4
SHA1 cf1786aa94bf1de5b0157a50d6d102847144960d
SHA256 d6f650af3380f2f251bb9b008939c070c9af647dd0b5ecb08e1f585142efe092
SHA512 46efad99f2bc8b4f08cf8c86fdff9d8b973e06c01ca14e822e3720760dc8622d75411b566efec18387ca9c7b8ddf7dff43dffeaa1318f4e8b92ef28914d40897

memory/1592-65-0x0000000000360000-0x00000000003B8000-memory.dmp

memory/5988-67-0x0000000000400000-0x0000000000643000-memory.dmp

memory/5988-68-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\79632d75dd.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/5196-85-0x0000000000C00000-0x0000000000E43000-memory.dmp

memory/5196-86-0x0000000000C00000-0x0000000000E43000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\5646e9be-bdc3-4084-bfe1-c3f338f17b3c

MD5 979b79bb1ab026d29b60d0b1cf28b20e
SHA1 d24c001a25befcc3ca0a7c06a4c7e504fad8d922
SHA256 42f0edf183d8e536cdbe97b0f3f5dd20a805a01518fa527343da676884542608
SHA512 c1881ea0960368f019745d1cd78f5b122de887c3a3bb2babb7e9290f5a7edac21fca548b806166cf9fcfaba01432db3dc03d74fb1e08214dd4caf53672bbd0bf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\8dc05ea5-6eb4-444e-a7eb-6553fc13725e

MD5 9e58e802606122a17ef33e330c4e83e8
SHA1 c7da8c01302617aec45b03a06f532c182d241b4a
SHA256 5270983a67e4d7feb867932d6d2f91a46ce20fc5f45a385b4685e72430d688ea
SHA512 6bc45dfd5373e2c1c313d27af744e5b05baa68cfb283de98bc9c57a648dae4a1c731a303bd42e12ed9791ad1decffaf8db982165e5ec8172c7823c60ccaca856

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\3396e9d3-e7dc-4c73-92c1-87ceb872d959

MD5 76ff20bac844c06ce35d9b8126cf2298
SHA1 5615b10d7e9ef4a76b8e388f505a840728dbb32e
SHA256 82252bf767ca23cd3962f5355bbcb2565b8998473086dbbb16073a7f856df7b7
SHA512 b09642fca49c97584fd630c967662e4e44fbd33b5f17f3e1f922aca010d1e51293cd15fa508102a3f99711f6a339efd1dd6e76aab9a74174153bb6cd871cdcb8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 afe026919868b525bdfa2201bcc1827f
SHA1 cd0a930468d11d5850957f98d1cb1a97b06db3d0
SHA256 3c3c45222d69fc417909bd31b6d84a4ebe8dae14b1db13f856beb15aea709d5a
SHA512 1a53997023fa196b7b2e6b014245bf4a0d9d28bda8737f0cb7be566181f451ac195132a085c309313550f5cc972e803b7279da6f14692dee8fd3279df7b184de

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json

MD5 e6eb0f43e661516e7421aeaa53a8ed68
SHA1 57ba20128213d999a475e3d0aaea857a548fabca
SHA256 315a5d648f2604f2e906a07fe1aca86af562394a232b8b90f8422f9cf208a4af
SHA512 ebaf50b6a6e114c1498a4d5ecc4316144cebfcd7793815f61da9d11361602777d1964dce13881e8393b65649fb78bfb965c9271b121ea28ebdfbce85e3ba7c30

memory/4784-350-0x00000000006C0000-0x0000000000B87000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin

MD5 0552f2fd9e01cf0568d165760523f2a3
SHA1 abe7b348e04241965f3743e2d3fc15891c3668a5
SHA256 b62b35e605f82ee5583955d1a2ab622e78b325312e23a0d3e4a70d9bc72de392
SHA512 a01418e51360368bd9d282ff671d377ac310ff68a1675187366ed8c08a375a7b30a2db540b4cd89738544e8793fbde3e1833e352b7029d72ed59daaffe25c259

memory/4784-403-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-418-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-420-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-419-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/2848-442-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-441-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/2848-444-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-449-0x00000000006C0000-0x0000000000B87000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 a53bb1da515b197e07a233085955a602
SHA1 e03546ea3bf33928046d76df0ff69002ff149922
SHA256 5ceca4077497f16fa9b99af8013cff6d5ea3b962f57f72d75e3494d634b08d86
SHA512 8c8a69aaeabbb306c5af1f23d8a03c926f284c45c19624d2fe26f32d5a3f16904a0de5d46e72bda80d8a4827797bec46612176f4e7ac553111566da7ff07f09f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

MD5 0c2278b4d28bc165af1d00d791bb4372
SHA1 7b7db0dad122647fd77743075ce0d729c6783017
SHA256 25307d1b5782ca0f254c8515e83bde041542b75d9d572c5dbd499804cf4b9d29
SHA512 1640a947b525f3e581aea3e044378b11df9701be150aeded3ae12b4c007e6074922620b0838810b386d26b53d0bd37c129a6e40156fabc5d080f7ded2eceb227

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 c7972a3c17b3d3fba42ba0b709e66a64
SHA1 d5ec28986a3b27e2be9f7b2cf2266a8b80cb1002
SHA256 8a44c535463434b4eb202360949466a65994092caf20b874ca7d4e9ba7af9ba6
SHA512 2a71e8b2c7fe23da6ab63052063ecef7019e7144d6700143602be70be5a168f764343857a991fc87693591852bdcf447d7679b8d6ee0d69b6f0c6b9d2ff62248

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 9dd252fbd2142c6c4460aafe16dc7b85
SHA1 342cea49a4ccd06f5b46e62d9e28ad20a16c4689
SHA256 b48e4b563102e8316a5b6b2964993a32bbab62857348eb221cdb8c2f6406ff78
SHA512 21ac3dac1b73d9aaab305a469872fb11d6a264122b3aed27b984908e987a69dc0d76c9d0132b585145a3a2ed1df0451b8ec93f3854d0646cc0608e5739979963

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

MD5 edbc75fc479b168c3c76d8242e14fd96
SHA1 e1354b9b6bd5e20ff307f0be79b113b52a79d173
SHA256 ef938f79b22042ef7241df876f7aa0e24dbf2b670c943f0f816360d6115d9545
SHA512 2cf5c4d07b1e0e7dee0db38cc00e272c77e23c4f76de3e40c4a16ffc62524ed3b12bea99491d153404a4cf6edd69819d1f287ef43e8b0f14a403a682ee026bd5

memory/4784-1127-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-1907-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-2658-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-2666-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-2670-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/2512-2672-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/2512-2673-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-2674-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-2675-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-2676-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-2677-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-2683-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/4784-2684-0x00000000006C0000-0x0000000000B87000-memory.dmp

memory/244-2686-0x00000000006C0000-0x0000000000B87000-memory.dmp