Malware Analysis Report

2024-10-18 23:41

Sample ID 240815-narffstgpq
Target f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4
SHA256 f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4

Threat Level: Known bad

The file f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Executes dropped EXE

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 11:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 11:11

Reported

2024-08-15 11:14

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ad680e6ae3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\ad680e6ae3.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2360 set thread context of 3352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 set thread context of 2624 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\c6044c27ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2372 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2372 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4012 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe
PID 4012 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe
PID 4012 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe
PID 2360 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2360 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4012 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c6044c27ad.exe
PID 4012 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c6044c27ad.exe
PID 4012 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c6044c27ad.exe
PID 324 wrote to memory of 2624 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 2624 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 2624 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 2624 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 2624 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 2624 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 2624 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 2624 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 2624 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4012 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe
PID 4012 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe
PID 4012 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe
PID 3352 wrote to memory of 3460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3352 wrote to memory of 3460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3460 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 1052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe

"C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\c6044c27ad.exe

"C:\Users\Admin\1000037002\c6044c27ad.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ae0ecc9-1c7e-41b2-8e3f-133a88aa12c0} 432 "\\.\pipe\gecko-crash-server-pipe.432" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18153760-7bf1-4515-8961-04e9cc6bf2e2} 432 "\\.\pipe\gecko-crash-server-pipe.432" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1380 -childID 1 -isForBrowser -prefsHandle 2872 -prefMapHandle 2692 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddec26d2-adb2-40d4-8741-72b1f98d08fc} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3692 -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3120 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e2527bc-b33a-43e3-ad90-b5ce07a86321} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4204 -prefMapHandle 4324 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de001ef1-4cee-4dc6-8fe1-61f2eed36511} 432 "\\.\pipe\gecko-crash-server-pipe.432" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5380 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20c81643-adac-48c3-b398-259cb6be49f2} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 4 -isForBrowser -prefsHandle 5620 -prefMapHandle 5616 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2416bc96-fca1-420a-96af-9738eeb9d97f} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5752 -prefMapHandle 5756 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a54976b-17b0-4a12-aa2e-49fa39dc2ffa} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6324 -childID 6 -isForBrowser -prefsHandle 6236 -prefMapHandle 6280 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9798b45-1399-44df-9089-a8078a2e4ad8} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:50755 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 34.42.82.35.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:50763 tcp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 www.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 38.132.217.172.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2372-0-0x0000000000D20000-0x00000000011E5000-memory.dmp

memory/2372-1-0x0000000077E24000-0x0000000077E26000-memory.dmp

memory/2372-2-0x0000000000D21000-0x0000000000D4F000-memory.dmp

memory/2372-3-0x0000000000D20000-0x00000000011E5000-memory.dmp

memory/2372-4-0x0000000000D20000-0x00000000011E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f557954b5982d5d5e5790159b77a006b
SHA1 bb1e26bd6f6c8c692e55e8af0a7bc55dc4cc8a40
SHA256 f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4
SHA512 62d4bddb6cd0de21f343cb8c1a74fb2d782e42d2bea64e4b3f71ee5f669dc1bea9333d0c754b6d68a3bf6475a7d407bd4e57534cae9302f06adb3a87b9641a0f

memory/2372-17-0x0000000000D20000-0x00000000011E5000-memory.dmp

memory/4012-18-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-19-0x0000000000F01000-0x0000000000F2F000-memory.dmp

memory/4012-20-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-22-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-21-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/3412-24-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/3412-25-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/3412-26-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/3412-28-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/3412-29-0x0000000000F01000-0x0000000000F2F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\ad680e6ae3.exe

MD5 2612734765aebd090503d35763541ec8
SHA1 ef79c796547bca330b8aa3cdbdee41f633dd4b11
SHA256 88fdc3cf67a6103d59c7e8f5461adbf9d9b508241304dbc4e3c66c718b7cf20e
SHA512 f6e17c16b5a39d38f41dc4510765e35d041ba298e92a3eb38f450d55fb5d64a3d671008cff5b922b7417c9c3584d4352f669d20cb8ad07102cfe84e51a2966c8

memory/2360-48-0x0000000000870000-0x00000000009C2000-memory.dmp

memory/4012-49-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/3352-51-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3352-53-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3352-55-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\c6044c27ad.exe

MD5 6bfbac43f2f89b755e6834525094bd7a
SHA1 ea6b15a43afffe46624aaa637fd8c797685b8a36
SHA256 f5185c63dd33074e8fb99b3fc5628e4632c325c40022396544cfc792b58dd15a
SHA512 f651e1a889c8fe25b54877fd22bfbe71e1f12f7db4d5b17eafb13e8981ee82a71b4b31325893defc499a053b908f15a207f938e247c9947ffafa1193887373df

memory/324-74-0x0000000000EF0000-0x0000000000F48000-memory.dmp

memory/2624-76-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2624-78-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4012-94-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/2036-95-0x0000000000A30000-0x0000000000C73000-memory.dmp

memory/2036-96-0x0000000000A30000-0x0000000000C73000-memory.dmp

memory/4012-97-0x0000000000F00000-0x00000000013C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\ce1f5837-6780-40a6-9c6a-c73c5621c006

MD5 368e930ef9652b8b96b3cf1306144067
SHA1 b913a26a63e0d43c0222508505f9f495a202dfda
SHA256 7f4c0094f1e16cf48a62bcfc8f107e7e5633f3b89a809e641e06cfa06007e712
SHA512 c8e68671998853f3593a9628802d04c511c80fd8be01508c6380854e19683175eb3ecb1636997f04bbb0df142acbf6508e5ddd9dd9f4366f454e338a2a87a29b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\8524d72d-f388-4ab5-a98b-539841bbe39c

MD5 f0818d2323ef45f5b8a0a53eefdadb48
SHA1 0ab33f62f436a46051cf4e4fdbabc7cc514cd2f4
SHA256 3a559be2256bd838972ead91893552c9b928fc17e119305b1e02588c98e75f9e
SHA512 b15ffd809ed3faca7b0f48caca1bb0907d0d613dabb75aea594a2d69105b3fd97ddfa904c98dee64f62b23df9f73991c0d750547291738fb921b9e972cbe94bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\0f8673ab-d4fe-423b-8530-9640ace97b16

MD5 cf3dbe6ff54a597a7e81d293834e4de5
SHA1 cca25964735d7f8e677e61de9115421d684d53cc
SHA256 f1b8a78288b40b2885369fa2f4dd5cb997aefa28a1a4957eae1e1aafff7a3b6e
SHA512 568f3e7e09d10c721c0f3b77b9ef7590355a9c41a8166f26e0b55f321646660875d5a4bd3aad7a47453734e6c794ea1b7f5eb7aa151bbfc386479e293f0a9344

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 812bd691511252650b52b087f8be2b5c
SHA1 6b36d39dfc81b3a2ee8a2e0e98c337457ba784d6
SHA256 9d8dd4ef272a94e3d696fd9b8ab2dbc1a7015e68dbc23ebcf08354a48d8b0edf
SHA512 7dd674b58cac980fcaf89bda65e224836f4a91ebd1d6da494b0b25044d7831b1b101f0cdd8ad21afc636b4f7eb47b3961bf22a79b15ced2a0f87618c357743fe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

MD5 87a7021746613f2e0f348af3eab846d7
SHA1 c9d570ffba102f0c563b5685fc047b70daf689e7
SHA256 8984dac5e5ee180e9f68d848978c9cbe3fe04bd19f2d03b3b57fdc42bda08948
SHA512 bf84955b1c98d94eff90d7f46c27dd5fcce9a1f3e57e273073e9617a65c10ac071b513efc746729d069253b449448201af52ffadf8c6642fc99ba4a61f3e21c8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 e64ecf313dc034c786e35883645ad092
SHA1 0240208f04bace51319fb48b7557c1decddc6ef9
SHA256 623c7f1ab25274b34021be1484a9b1ea9431f57247a2badbff6ea6e02e0ef042
SHA512 778bfec3dc39ec6c094a2501e8270a8d351654d67719aeb8ff5b1e026d5fb90ebc9cb1f2e373a82e619bd5ac28c749927d629be0cdd61069edfb6dad4b547da6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 c681ce9559bfddef794ad8a817a691f7
SHA1 ee84bfeb750dbadc9958fff4ebc07972d3f8e0d2
SHA256 7900edb17f64a5edeed83d59dfdba200d76c3724a875967fc8223b486e4b221f
SHA512 3cae1528ec239d1a26f9b6e4b813dfd6737812d06ba2b3d7c079dd0230e84d0ffeb26b6758bd0602c65d360d777d2608f1a83ee2c639d051f3f6d60709d9f63e

memory/4012-427-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-484-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-491-0x0000000000F00000-0x00000000013C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 bb2633a3ef555f5f76200dcf8c13866f
SHA1 c3fa0407264939e7be0421b3e92eb8fec7b59548
SHA256 5ce9b2f0839e000eaefee5db8090e9ecc8da402df7d4e4149ed6054688929624
SHA512 7db0893b21f2d5f4a23e5384762dfb4dc574bd722cb20c37ec1801e6be733db138f94ad93e3bab50ab5698cc3f25074b0639284f93a606c4b0f0935b74d7c276

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 39af0fa2a2be105066e1ee6df79faba7
SHA1 bac4b556d87082b57acabce1fb9d36e1386a0f5e
SHA256 1402894c0ea6aa436f5d94b6e8fff201790a675a2907c119e9ec62ac7169af75
SHA512 a3feb6ddd4f0031dbff3e553baa106966d6f61f83ad91c16f63021d927068bec567a1b5e22680d9157bac2f8d937dd7a768b3f61465dc89d1580434320c9c999

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 750d3a6dd69f7c258562891cccd56fc7
SHA1 263e031dcc76e42740f33063f0a2954c7061c152
SHA256 1897e3ddf1cba46a6ac3c7bb21063ee4443c8bafc955424d32db80b7542e256a
SHA512 e85d8d5468abe913e1b0acddcc1d9450c5317b7f7e98646ca2bf354a1136d5a8355a6a98017231dbb1dc0f2bf5c47fdb4f24d1918d5e8b54b21b54e93f604248

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 2b7e4779fbc54e715110e482030ece54
SHA1 365eb0be105d54dbdc72479ad3d875adb4967a51
SHA256 cf413efd94464bfa415eb795240f709d1dc4fcce819c48f96a2e99f0081da17b
SHA512 5286b90f02e71cfacedf7c380762be45b0fca5835a7f4196475976a2f19595b0081400e453239aa33a0ba7b56e57656f255a44f9bcc1424cc338940cddcbef24

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 3caa66e84182382f6c048bd44e3578cc
SHA1 c794b8edceef4ada60e55a2fb71b41305529af2a
SHA256 965f03a78b538ea4f90711c154edc4e5e11ce864789dce10729284f0a1d80a07
SHA512 9fe7992ea19f726bc1579004d3e21e50326e150f564d87f19f70e66d0167025d89cdc0cb622669a718958f5767c694ceff6b5862a8be37062e4b855849db4875

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 8e8dce5a03999f77edd46a7fd7cfc050
SHA1 3ce0701699177e8308f06c2514ba527f66f3c666
SHA256 a39168293bdf8a344b6d258a74c42f745040c6f3b5f03e8f0752a98e429a6dbb
SHA512 185c1a0d973a3415b8aff760eb2290f99f2e8339449f418461d0c418096bcde7d1d9aed171d65dd0308a55bcd105c5cc3798b49c0682add37f7daa618a692abd

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 af8226d4ebe85b592f4e99fff2bf852f
SHA1 dcb3df63cba1a08008f1ecde84699f6fd176bb18
SHA256 be098b333d684a256aa81a558a2d6cddcd5765e4abfbb4a61a20a2410f19779a
SHA512 8b44cd5642be51c6e133f58d92e60022de63bb34be7e6ac7ab17824eb2b250939a490f671d7b9e33d679f7474045a28669d442a5bdf090ec5278c84347311b8b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

MD5 121a25fb22852ffdfc9201df50cde2ea
SHA1 ea5ef4d090b1f24678258c1e66a7efc50346934f
SHA256 687948778c6d63ece17dfe34c680820140f711d65dd33b197708e7698de8a7d6
SHA512 0336abbb7254b3af7625be2bbdc5c5ad14adfee98e7c8fe991ce929b1c0b3644819aa4aafba9ed54ceb829be6378a22ce2af9393e9bfef5c315aef4eadb99295

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 adc966d05f114f7a2a77a6576adcd62b
SHA1 ff20c154386f9d19bc9ae704765c3fbdf5337895
SHA256 fdcca47eccc1d96f5395b07fd3dd9d91f6465ba862f3f0c9ce8f6cf1a3d5a3cf
SHA512 4a4286f9d84c2475d15b4c5d189c11b182d8719be00ed742b1b04b592b83e0b91ddcafcc741f5ca5912b8baea0d1520bdc43c99df8358452728f564ab22a1bd5

memory/4012-856-0x0000000000F00000-0x00000000013C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4

MD5 91b97b8951d477932d5a2e0793ea3495
SHA1 2f5c348efebeb989aa7a713d7fba4659d8fd807a
SHA256 3fcd5ef372a7cc51abe638dd26fa3c08866b9ae75a8a00722e7ddb0090cc1018
SHA512 10e927fa1f5769cf9e44acd20a67389258daa49f3d774cd68ee604ab7d7241793db947fbbb2cdef04c98af187636efae832f73171d72e11186fc63ee24f82885

memory/4012-1791-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-2613-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/1380-2615-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/1380-2616-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-2620-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-2624-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-2625-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-2626-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-2627-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-2628-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/324-2630-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-2636-0x0000000000F00000-0x00000000013C5000-memory.dmp

memory/4012-2637-0x0000000000F00000-0x00000000013C5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 11:11

Reported

2024-08-15 11:14

Platform

win11-20240802-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\6a6edf132c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\6a6edf132c.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3240 set thread context of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 set thread context of 3312 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\c6044c27ad.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4664 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4664 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4664 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1012 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe
PID 1012 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe
PID 1012 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe
PID 3240 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3240 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3240 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3240 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3240 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3240 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3240 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3240 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3240 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3240 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1012 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c6044c27ad.exe
PID 1012 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c6044c27ad.exe
PID 1012 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\c6044c27ad.exe
PID 3044 wrote to memory of 3312 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 3312 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 3312 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 3312 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 3312 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 3312 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 3312 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 3312 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 3312 N/A C:\Users\Admin\1000037002\c6044c27ad.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1012 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe
PID 1012 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe
PID 1012 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe
PID 1476 wrote to memory of 3568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1476 wrote to memory of 3568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3568 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe

"C:\Users\Admin\AppData\Local\Temp\f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\c6044c27ad.exe

"C:\Users\Admin\1000037002\c6044c27ad.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4aec3d0-c125-4bec-ac58-2c8203a547a9} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2889b02f-9168-4b45-a981-2a980be1cf95} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3424 -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3208 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e1502e5-d38a-400c-8941-27a854d5801d} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4024 -childID 2 -isForBrowser -prefsHandle 4016 -prefMapHandle 3416 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91002e2b-68b6-47a8-8ef3-7931c35b73b5} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5020 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5012 -prefMapHandle 5008 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad7e8915-6612-4dac-a2a7-8b659b363395} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 3 -isForBrowser -prefsHandle 5548 -prefMapHandle 5372 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f335907-a7cd-4101-bd30-7a5320458182} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 4 -isForBrowser -prefsHandle 5704 -prefMapHandle 5708 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faa0670a-bcc8-4004-a882-7ccaeea8564b} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5884 -childID 5 -isForBrowser -prefsHandle 5892 -prefMapHandle 5896 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7de5c99c-7a2e-4bd8-8816-c274c768e2de} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6284 -childID 6 -isForBrowser -prefsHandle 6296 -prefMapHandle 6292 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac7514d0-f5da-4aef-aaef-44be27b3619e} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49888 tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
FR 216.58.214.174:443 accounts.youtube.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com udp
N/A 127.0.0.1:49897 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
FR 216.58.214.174:443 accounts.youtube.com tcp
FR 216.58.214.174:443 accounts.youtube.com udp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com tcp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
FR 142.250.201.174:443 play.google.com udp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/4664-0-0x0000000000030000-0x00000000004F5000-memory.dmp

memory/4664-1-0x0000000077436000-0x0000000077438000-memory.dmp

memory/4664-2-0x0000000000031000-0x000000000005F000-memory.dmp

memory/4664-3-0x0000000000030000-0x00000000004F5000-memory.dmp

memory/4664-4-0x0000000000030000-0x00000000004F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f557954b5982d5d5e5790159b77a006b
SHA1 bb1e26bd6f6c8c692e55e8af0a7bc55dc4cc8a40
SHA256 f5d291799fa4b9a06d0a9ce3659e5a23d2af9a0078c41e647a39c717cc8a02a4
SHA512 62d4bddb6cd0de21f343cb8c1a74fb2d782e42d2bea64e4b3f71ee5f669dc1bea9333d0c754b6d68a3bf6475a7d407bd4e57534cae9302f06adb3a87b9641a0f

memory/1012-17-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/4664-16-0x0000000000030000-0x00000000004F5000-memory.dmp

memory/1012-20-0x0000000000E21000-0x0000000000E4F000-memory.dmp

memory/1012-21-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/1012-22-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/960-23-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/960-24-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/960-27-0x0000000000E21000-0x0000000000E4F000-memory.dmp

memory/960-26-0x0000000000E20000-0x00000000012E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\6a6edf132c.exe

MD5 2612734765aebd090503d35763541ec8
SHA1 ef79c796547bca330b8aa3cdbdee41f633dd4b11
SHA256 88fdc3cf67a6103d59c7e8f5461adbf9d9b508241304dbc4e3c66c718b7cf20e
SHA512 f6e17c16b5a39d38f41dc4510765e35d041ba298e92a3eb38f450d55fb5d64a3d671008cff5b922b7417c9c3584d4352f669d20cb8ad07102cfe84e51a2966c8

memory/3240-46-0x0000000000A50000-0x0000000000BA2000-memory.dmp

memory/1476-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1476-50-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1476-52-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\c6044c27ad.exe

MD5 6bfbac43f2f89b755e6834525094bd7a
SHA1 ea6b15a43afffe46624aaa637fd8c797685b8a36
SHA256 f5185c63dd33074e8fb99b3fc5628e4632c325c40022396544cfc792b58dd15a
SHA512 f651e1a889c8fe25b54877fd22bfbe71e1f12f7db4d5b17eafb13e8981ee82a71b4b31325893defc499a053b908f15a207f938e247c9947ffafa1193887373df

memory/3044-71-0x0000000000E10000-0x0000000000E68000-memory.dmp

memory/3312-73-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3312-75-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1012-76-0x0000000000E20000-0x00000000012E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\7351d56daf.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/456-91-0x0000000000DB0000-0x0000000000FF3000-memory.dmp

memory/456-93-0x0000000000DB0000-0x0000000000FF3000-memory.dmp

memory/1012-99-0x0000000000E20000-0x00000000012E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 78d3b24a6d8e9d524a4f1e634eca527d
SHA1 b736fb1fd5ab55216ea33a550c524ede0fc42525
SHA256 c460abe534e90a84552d31783dbab3170d1fba98501ed93bf304e397ceaa2e94
SHA512 ccf22f1c135bf7e8676c06f7577529faaf78fe68e1d1e0e704384be3e74c12f86538aa0804b485c38733e967d70f0714851e79d52c0f086481a670210e599673

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 9774072afbb928604838374cb5ba73cf
SHA1 695dc9374e3615ef6f4bc70bcf511c046248d8cc
SHA256 909459e9f77a097541a3daf63fbca9d8e5426e18f151656fceca8ef9c4e0a2d0
SHA512 8513b6b23991c425123dcf2c573f6aa39faa002f0f5017b953ea063cacdf09e936be59bf8788335ea6c24cecfb026b9780dd4da4455011fad98faa4221c3e733

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 47c155e5e07e9a9777216ecb4fd49aef
SHA1 294e5331eb5548443daf8fa45845048ae3b755f9
SHA256 16ed51caa19a5dedf9b6dc8d4db1105889c0dc0b9216048260854beb26584c91
SHA512 a40ec645fb2a2b57454d0cd2a65c488911437fcf971c2abaef2c150d6dfb6a4781c4f95dbd142982740ae63b37ff519d6838e2adcdcab5975706da68c1f855ad

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\3c29d7b7-416f-44f6-8e24-d58c72eb05a6

MD5 5590f17b4535fae9761e89ccbd5c845a
SHA1 31956564f1f8b5425ff442c591100f5fd72a15a6
SHA256 22a0c658889a5769e8bd3362703d9e8502c102c4c56ff1279601c0e6cc8aefad
SHA512 74494e512a10d934d04df5b87aab4002a9b4b411261941faec855b03f742b3ec5ed82627cabdcae2e11f0acc82552e169c11abd3b91e4f3345b86faae7a5e1b8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\252e25b6-7e13-4d06-9d72-e27f327f750f

MD5 c2c1f615a41154eb37afc396182e959a
SHA1 b13285815b8fa4369fced1243ae799dab1022071
SHA256 fe63f13d8e833b6b07242c8c20d3d7cac4a7ea9a5d245f12249d7ce981030be0
SHA512 4641f822c00376a4dd0dc4d006ea1bb143496fdd53008379fbefe13148782e3ba24d16b5fe22289fe0773bb3db42231c61508ec8d6795c84bf5bbb007d9f8ab0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\5273773f-cd69-4f6c-84c4-083115c3c641

MD5 58b536988514655989826ce45bb5529a
SHA1 54402d73201e9d034f66e55dca7e6314298a4f53
SHA256 d1f0605679b05d5924adbd99b7de0834ad3b1973d91f33bffb423ad86216e034
SHA512 9d832bfde58cffe510405bd9dd82026d3c5bc3221bc3414e5a872e0a738fa89b916fc010e1131407e4db1a0499479c69e70a6ae96088371b9cf0b1043b318409

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json

MD5 efd2dfdd52b0a097a0edc3bf2294e896
SHA1 5dc3a460c98900385d3189769e3f7a7665ed502c
SHA256 81aa7ac2b7504c90cb72954c4a6d7098b98cb397487b2c7fa0e092a295312c0f
SHA512 53d7516cc1935fc1b246f1d5a413f11daa4f82b9c5e65226a82ed4d0a58b4e2c19a9fae52a2cf6ad60867c5c848b6a6f5d6d9e38369ef20ad6f08ef9967e9783

memory/1012-365-0x0000000000E20000-0x00000000012E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 e1251969e23c35acfea9730b2b002d9b
SHA1 27166dcc7d72978b64218a2f774d4e135b44bd74
SHA256 74212d2b319518597ab84c8c5550727df35397c629dcd622c9fa92758792875a
SHA512 0b2721195c6b206fbcfe73b13d18b5f6bff40f6df149335dd109b6458d0c746ef156cac327d1c4064730490f42128aeebfa6778b63069ce3d2264f986f3e03f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

MD5 4926f5699bc6ddc5bbb4209a09590af7
SHA1 0ca3070c56e6e1c2b86ca507d3fe45b69060e2f6
SHA256 c45322a8154f0330de4457237171af8bc9941c8122795fd5d91eed67b77a36e8
SHA512 07170ab07f6aa99d1b443a735cbd6b0aff7a70c0bb30f46b2803591428bb40fcfcb110d3ed87d709b76b4e90be2447e8db7873cf60b9151b5477554e5acefe37

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

MD5 d4e095eaad4b030132d5aefcb38145d2
SHA1 e696bde88b09ac56238ed89ea10afc951398b534
SHA256 f0692ef09c4c5ee569d67db7b0af5136dacbdf57051a807fd90504f1f0e4758d
SHA512 2b5283605c6d3b53a9843c9fc9b2bddb79e1d8a3e4fa99b6fa2eb1238f86acedadcc2f9e7f07416d9a4ae4162ad723af5e4476ce2f5e5821075dacf0c3c4daf9

memory/1012-430-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/1012-453-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/1012-458-0x0000000000E20000-0x00000000012E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 71634da0e1a4578089a12bd39485e872
SHA1 28fd7d55ff5da644dbf0cb9fd5c6dae68aa38926
SHA256 a9bbdc2348690a79825acd18e53651bc205f140bde142e3c881af88015cfaffe
SHA512 012f7c511de63c8cd0c7d463fea76bd4a102fbdc3fdf729073f792a402c8be81a922e9d2d800f5a790dded96a3df56dcabd218ad948a008f64505114f1a71dda

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

MD5 dbd0215967bc8faf83920642663f4f77
SHA1 ec4d3ebcc1f77c0e3eb458b869238a083dda5f88
SHA256 b1e96b1872e6bccdb28a6cfdaa5ac29716db36e9bace6073db9a3e02d006b162
SHA512 6c5eaa727ab375d6aa3e2d359f4d262b6f3768c25337794ecd21b6431566c6742351736d0d52c64937041ae60ca8d412787dfd87da22bffaf89e2e9efa62ea99

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 bdf2e051a8a51ba025af16cb255b394a
SHA1 f6e0423234b7de2772b6948e9ff491976c5364f0
SHA256 205cb80c5b8387d0584a380490f36df5d048443fee0b61648027ea8d191af402
SHA512 ff17b8127d1cc520723921c6fb8de3df7b8c2652e85c810385ffcd0ec242c25229a44c681f9d7ac6ff590d7131e2c86d54e83a58cfab9b650ad3680c717c5960

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

MD5 b6ec562cb65be66bb1cb74ebe56cfedc
SHA1 afc5b64e399e6845f399b6d6579464797844bd1e
SHA256 032a6b6109e589698a4c4bfe807fa59de970dbd83372421f6ae4644be42815fd
SHA512 44bd34af164e6cdf63a84e178716fc215db430784bb1ff9065b5b7ec5c1e48e14cbbf6c20cef02184dc2a748f60f315b2ee3373efa6a9a3863af87390ec0189b

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

MD5 bc2a4af7eb83ea9c15e6d79b39287698
SHA1 4936795723fb2fd45ba1b6c408fab7f13129c9a5
SHA256 9e5e932650c5aecdd19cab5c06e6a5103fb44f018aa549d91b1a448fb81c7fcb
SHA512 5a6e028a65968d87cc8fad2706a116d299efefc48cfa82d9288d75d8b168430aa8077447529a9b3a294de71f61060d3fa506676bd0e0d8a1150e90e1d2d4a931

memory/1012-1270-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/1012-2547-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/1012-2548-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/3328-2550-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/1012-2556-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/1012-2558-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/1012-2559-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/1012-2560-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/1012-2561-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/1012-2562-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/5140-2564-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/5140-2565-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/1012-2571-0x0000000000E20000-0x00000000012E5000-memory.dmp

memory/1012-2572-0x0000000000E20000-0x00000000012E5000-memory.dmp