Malware Analysis Report

2024-10-18 23:40

Sample ID 240815-ry87ys1ekr
Target 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf
SHA256 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf

Threat Level: Known bad

The file 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence spyware stealer trojan

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Checks BIOS information in registry

Identifies Wine through registry keys

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Checks processor information in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 14:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 14:37

Reported

2024-08-15 14:39

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3d2958541.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\d3d2958541.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3228 set thread context of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4204 set thread context of 1492 N/A C:\Users\Admin\1000037002\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\b86952c565.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\a8675ae254.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 688 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 688 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 688 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1376 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe
PID 1376 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe
PID 1376 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe
PID 3228 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1376 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b86952c565.exe
PID 1376 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b86952c565.exe
PID 1376 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b86952c565.exe
PID 4204 wrote to memory of 1492 N/A C:\Users\Admin\1000037002\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4204 wrote to memory of 1492 N/A C:\Users\Admin\1000037002\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4204 wrote to memory of 1492 N/A C:\Users\Admin\1000037002\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4204 wrote to memory of 1492 N/A C:\Users\Admin\1000037002\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4204 wrote to memory of 1492 N/A C:\Users\Admin\1000037002\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4204 wrote to memory of 1492 N/A C:\Users\Admin\1000037002\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4204 wrote to memory of 1492 N/A C:\Users\Admin\1000037002\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4204 wrote to memory of 1492 N/A C:\Users\Admin\1000037002\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4204 wrote to memory of 1492 N/A C:\Users\Admin\1000037002\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1376 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\a8675ae254.exe
PID 1376 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\a8675ae254.exe
PID 1376 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\a8675ae254.exe
PID 1248 wrote to memory of 448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1248 wrote to memory of 448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 448 wrote to memory of 60 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 448 wrote to memory of 60 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 448 wrote to memory of 60 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 448 wrote to memory of 60 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 448 wrote to memory of 60 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 448 wrote to memory of 60 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 448 wrote to memory of 60 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 448 wrote to memory of 60 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 448 wrote to memory of 60 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 448 wrote to memory of 60 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 448 wrote to memory of 60 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 60 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe

"C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\b86952c565.exe

"C:\Users\Admin\1000037002\b86952c565.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\a8675ae254.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\a8675ae254.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c74cd3a-5ec7-4967-ab26-512405cb266a} 60 "\\.\pipe\gecko-crash-server-pipe.60" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78ed8fed-bc81-4f27-ae34-8c08214f4f3b} 60 "\\.\pipe\gecko-crash-server-pipe.60" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3284 -childID 1 -isForBrowser -prefsHandle 3296 -prefMapHandle 3292 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c3007a0-c066-4567-8c60-44ffa6625dee} 60 "\\.\pipe\gecko-crash-server-pipe.60" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 2944 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7a78360-5a3d-4781-a5ff-cc6d73d81ec2} 60 "\\.\pipe\gecko-crash-server-pipe.60" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4516 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4528 -prefMapHandle 4536 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c7907c8-3c5d-46c3-9a29-bbd1399cdb9f} 60 "\\.\pipe\gecko-crash-server-pipe.60" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5308 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02c991ea-751d-4815-8a5e-20db1306b2c1} 60 "\\.\pipe\gecko-crash-server-pipe.60" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dcfe548-4342-4961-adbe-56f2d9d35fc3} 60 "\\.\pipe\gecko-crash-server-pipe.60" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 5 -isForBrowser -prefsHandle 5340 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17c6d41b-bb08-4d01-ba4c-9b13f0dcdeca} 60 "\\.\pipe\gecko-crash-server-pipe.60" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6204 -childID 6 -isForBrowser -prefsHandle 6212 -prefMapHandle 6256 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e150296e-6491-4fff-9451-abd25eef4787} 60 "\\.\pipe\gecko-crash-server-pipe.60" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 127.0.0.1:54558 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 34.42.82.35.in-addr.arpa udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
N/A 127.0.0.1:54576 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
FR 23.200.87.12:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 12.87.200.23.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-5hnednss.gvt1.com udp
NL 172.217.132.201:443 r4---sn-5hnednss.gvt1.com tcp
US 8.8.8.8:53 r4.sn-5hnednss.gvt1.com udp
US 8.8.8.8:53 r4.sn-5hnednss.gvt1.com udp
US 8.8.8.8:53 201.132.217.172.in-addr.arpa udp
NL 172.217.132.201:443 r4.sn-5hnednss.gvt1.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/688-0-0x0000000000B30000-0x0000000000FDC000-memory.dmp

memory/688-1-0x0000000077DF4000-0x0000000077DF6000-memory.dmp

memory/688-2-0x0000000000B31000-0x0000000000B5F000-memory.dmp

memory/688-3-0x0000000000B30000-0x0000000000FDC000-memory.dmp

memory/688-4-0x0000000000B30000-0x0000000000FDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 6d0f73b4a2b84bef406470efcd79a990
SHA1 3e76cd04a8655c14330a7392bbeedb2e17f2e015
SHA256 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf
SHA512 54ba08bb0194c37dbbcf0f017ba9f7a87f370b9378e6191c6f4654c479c89de398e4b467d7506dc93f580d4cb773563eaa3c4da97c46e0b10feda0a82a9a627d

memory/688-17-0x0000000000B30000-0x0000000000FDC000-memory.dmp

memory/1376-16-0x00000000004C0000-0x000000000096C000-memory.dmp

memory/1376-19-0x00000000004C1000-0x00000000004EF000-memory.dmp

memory/1376-20-0x00000000004C0000-0x000000000096C000-memory.dmp

memory/1376-21-0x00000000004C0000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\d3d2958541.exe

MD5 d1be0f6f034c55fc17558f2ae445f1b2
SHA1 6b7f7599af54f730451f8344906acc7d0a206af7
SHA256 21a8a20a3cf2e59afeea5b810da2fd7b132780a8167ab28b0bf8da4d7061478e
SHA512 3e96bbee8cb19b3dc7c45d302f5321122722562f2ad41ce9d61bb34d2fdd65c7eaf133bdb097445df327629b2fea78caa22041ca122884a9ec1758da0288f465

memory/3228-40-0x0000000073A0E000-0x0000000073A0F000-memory.dmp

memory/3228-41-0x0000000000EF0000-0x0000000001020000-memory.dmp

memory/1248-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1248-49-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1248-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\b86952c565.exe

MD5 c98386f4432190c0c37be9ebc2e19eda
SHA1 fad3e282c5987117de21508674eb3f0f28f958c7
SHA256 6d47e2a31348815e467a4e421edc44abbc0080393e0a9c32608e74757f038bab
SHA512 262864defaf0bc2f8b1e20967725e741fad90b288ea640b33f77305bc69357cf85648264902b03f581f4de95bc7b06ffabf897410efe4abf0b28201f6e1fbca7

memory/4204-68-0x0000000000490000-0x00000000004C8000-memory.dmp

memory/1492-71-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1492-74-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\a8675ae254.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/536-90-0x0000000000430000-0x0000000000673000-memory.dmp

memory/1492-91-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1376-107-0x00000000004C0000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\50b86f08-cb29-4a59-b12c-830fa84a61a5

MD5 dffb80849f79fa8ecefaa76e1af68a12
SHA1 40bf4bc8d2df4b5e626a00e4cde979917978eaf8
SHA256 8545ede8f04310c36ac7ee9bd5862a55ee2f05e8cd8aa7f4b126269c79bad9be
SHA512 71655c106092ead0d1ba2049035514138e329a33c183e876024dfbb273447380cfc7a48d29362b7015d97c52a53e46b9f3b00ede0cf06f901df08cb4f0d9b16d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\61902ff6-73b0-40b0-98d7-67154fc88ed1

MD5 eaafb0e11d3a034198c54ec6aec08ed1
SHA1 d3bcf74dbbb9a1e9696e0a8e38c20b7ee1e419f3
SHA256 fd9611418ba41ceb60b6eedd3a29920078b9150e77ba6ee28ef5fc7243d6b902
SHA512 36c5bc6cd5bb9acd70fef1df857f73a4eb170af91c1b8760db849fc9a22fe9366a990c451e9c8cab115efae626a6298e4be905cfab6e3fa78a6dc053b8f1d5e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\f0ba6f94-5938-4762-9348-d4d8de486448

MD5 7de4e2f62081e6d3e512501032a55fff
SHA1 64ab0898eea0578ab50b25eee63f2fd866e359f1
SHA256 8502fe7c48cf974e198e5750febfa5834b92e5f5feec887a0cecdb32b50a7491
SHA512 c1377c77081a51a01628864915cd3497d6361f3881d549363b10be17e4cc8f8bb72c0f5cc30ab6d3811fe8ab42a256ab699286729e778f32f5d967e0b4f3c0be

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

MD5 8d42565ac748e36f3c7a078f0d1bf66d
SHA1 8d739ff61776645ef10701da6f2ffc946f526be3
SHA256 638b0b61388b633a323f416364b9fe2362712405818490b2b5be23610ccb90d0
SHA512 9f4be9d5fbc49dc05b4566f6d28cc1f937fcca6bd425f98a4ce0b6bf8b1d821761e9e5110bc6c9eea8f31fe431b71cc9dfb2bfee994c3919fc1b670362f60451

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

MD5 0f623a5b728f095949dbc8a40b3c4d08
SHA1 aa51013c0bdbf57166bf0efc17ccaa3242354b5b
SHA256 b765c8713f91405b22325b99e8111291515ddac5fd84f77f52e9a1a479202861
SHA512 b8bc3700b1650f7c3855de0f005946e8b0af7c3ea94ac360d533f413b72f0319acda99d05fad91f1c48661ecc6a0706f93168c99d2529247b4618b9ab9dc74f3

memory/1376-377-0x00000000004C0000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\activity-stream.discovery_stream.json

MD5 2ba9f79c5533f2e3767ead19a86e1bdb
SHA1 1bf5cbf9906fbca74ed482be3a00cbc23e298a37
SHA256 3b7dbb777cf1e4cc9813482d1f83b89fef5c239e1fc1158ec533e62a606c3888
SHA512 4eb40c8b847c1e811294581726e045a671c1ff27d029f5007c685c7107acc77b281be73abad03549b1445f4d6dba34056ecd2e6eaf6fba768f059a4c37ad33f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

MD5 762196716223ee84b67e1a30e6c8ef0e
SHA1 d12477eb3b917202701375d3ed4bcd2a66043307
SHA256 242c1f829963a8d5081eed418cb9a1661e3bc76e22659df6c7aa0cef00ba9773
SHA512 c96b1da3a86b4548270f32fce746c04850559f95dd918afde6a2e900894f7ff658f4171ddffbc27e298ca59f4fe65160b483ca1615fa891db88bf324c89b84a8

memory/1376-428-0x00000000004C0000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

MD5 d66de4cc0284075c24d2c010bab96a79
SHA1 32e90af7d0a2eb7911cb659a195286b4335b8af5
SHA256 b2d26626ab0d00d72651f2193e79b64fcfdb4429a992a919d9b3f93073ed2088
SHA512 a8abfc1f49d75426115f9a921187ecf4577d4cc8cac278b57d00078fc5ec4b9622d30fd2d2a8a993e2321a3370a82b19df17701d02bb6cfd0078786a68d78314

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

MD5 6aada7538bf03468ce8ae6e1799b664b
SHA1 402254037115bcddeca953a7537b35e84609f31d
SHA256 c60b1217a83526d71574c52abb680d36fe1fc13dbe9988732ec4fcfe5ddab58c
SHA512 53370952c1b439f0191b645c7135a761ab9a7685e3cc9e4cf84e9f75bcfd6c771c4997fd26b363948c1840678beb374bd6fc09295b639a7beb5ab101c3e1e62b

memory/1376-468-0x00000000004C0000-0x000000000096C000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\cookies.sqlite-wal

MD5 e16479165509ba9909027a952fdf3692
SHA1 6cdb221e098499a5d74d09b0287cbc005ce9bf52
SHA256 6d1e2e27c78e5bfd2dcb268efd2cbbebffe658bdaeaf3df171377e9bb589a68a
SHA512 11e1074b58f2203a333b2ab08d7308df4acec6318377bd290727f3d229e969748f83d4316a0bb20191c576de74b89d27b66dedc78ab2c8cf86ea7907958e1cf0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\cookies.sqlite

MD5 21d0f942482c98b32ba7a00921528928
SHA1 514193ac1aee5c6152d5c708618cb81a23c6524c
SHA256 19eb2497cc68436a2cf772b77299d2a3dc0dd517a2a9bdaa68134258361bf89c
SHA512 85e771497634d3f18c4492971f99d1cccb21bdaa1c8c47747ae9276d2023d35393ec9c5a858a94ad6275c4040f5ccb948e486d2a37f8a9ed34a3eb457ca47f72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\formhistory.sqlite

MD5 97c1441748d6cc3e5a7030cda7543975
SHA1 f5598a45b101a5404126cd27fbb7f4b70861ee32
SHA256 2015b584b844b091d6a6280d45e9a589ea0feacf5f4b19bdd4cc21c60dbaaf91
SHA512 29d358ec7725038c6648251d8b9c32f3a40458e9c97926e0000ab42f0369b96d1ba5216eeb7c35800c740633dfd3b1e6e6aa73859644bdb9cdccaf2a3516bcb9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\places.sqlite-wal

MD5 6732445c44182a5d1623a6ccd7e46ea0
SHA1 1578bf1f49a1de7f6636ec3f739d58bbfadf19cd
SHA256 d1a5fc2cf7592eca9072de5d50552177b25b4f4cb2879b18550bb8ac576ba624
SHA512 f3c492a6518a6151e9fac0e857a466b81c23729a1cc78935ec6001d65a73940979707b117c8be67bfb737a9be05e40576fbf059f2ed4618f2890a5a01ac1cf76

memory/1376-526-0x00000000004C0000-0x000000000096C000-memory.dmp

memory/536-527-0x0000000000430000-0x0000000000673000-memory.dmp

memory/1376-532-0x00000000004C0000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

MD5 f82dc331995330562cbe733a69dc7721
SHA1 518abb0a69d13832f7ee908352109d1ee905924b
SHA256 ed5009c008f7ef1e8ec5b569bdc63f4edf6c1d41a0ffd617fdab00eef82def2c
SHA512 cf1ce2fe577b2f866cb2fd93aad08871606e8e71e65102996559e53449ec3dc268ee12b67840d71c7a5b4dba65c7680095992e1ffcee1edaea17c331e4590f4e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

MD5 52c435efd42abcfaa574e46bf24fb141
SHA1 7c208c1876c8583d8aa6cc53be1ec74392814424
SHA256 8c42335a3fb585ee25616ba8fab1184ec390174a2848fc82e6e10b016ac854a0
SHA512 443feb7b17506b26ebbfc93ea4ccf0cb6278cf077648ae6dee96832b4d5ca63129e9814127ee1823be924df4623294ebd98b255d2f3958ced7d176c654921fba

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 ecc9c2c647906a798f5ca79055b9a1db
SHA1 6235bb2c6f91aeb6c0a92778e5749042559ff409
SHA256 2cbe52ccbe125bccc0c1c9bc445f73a7d6daaa1d81e1b32582f6cd54ce62bbe0
SHA512 41cca4cd7989603fcf9858cc802b55139b4ec5c31c92afcd8de88d4ea3ca8ebf33ed24e00b4fc62591f8fb9d23f2463cf1dd80201b9008f4f4b906c8deef2f26

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

MD5 8d60d7a6915ef5dff96ecfa616177dfa
SHA1 8353eaaf7e66eb7fd7fa1c9943dce0daeb9983e1
SHA256 f9a713b9ae49af2c488d5936b46d25023f0b0ef834ba24272e9491367c95fe7c
SHA512 141326ae42e7994439ab8262a2db3f0013bbaa110460e3d6ba84280ceadb48317f641a775f54750a6101dca941119b08395a09491e785cff4faa8d55e67922bf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

MD5 2218cc1f1f0f40ba5bf85b22474374bf
SHA1 59c5461e44c84d33143ac9b7b7160271c455df25
SHA256 2daf4f3c10158af1352a2f1877ed79c3ed46f170b8e685abf1e401b2a9fc8499
SHA512 7105da7ccd5435e0c2eba545ec314e870dc3b0fa063cfc697d328400c443e6fb2cc37e32e316af82e4096f4f11038aaab31859148c1bdeaac7bf1aeaa5d99fa3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

MD5 88d94d8201f571e140038e192e669710
SHA1 703d3b16f0b4f0d681ed8377d5275eed22616223
SHA256 cb73f3985b99510dbd73138734194e72b82ecd4d47599c1e1d184c39a6ba136f
SHA512 20fb68eb1e7d05edf73b664695ce905eb101dfe283d55ebcbb4d92cbfa1363555a5b472f4084c00f23a792ce5e70603754c8ccceeb8500e2014b7eca5c5da3b6

memory/1376-708-0x00000000004C0000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

MD5 f2ecbe8d9091bdeda09c978f102f2c08
SHA1 6c6bb0e7a23e101d7dc676835b13af25b02acfec
SHA256 fb2240334dd7280b44e24a73a229315656f571daa58b5e1c32d47265b5ca2779
SHA512 771ea4db28c62dc4c11f595bc9450597f2335f4bda0adc589386a5422e05c68e1e8bc40a654ac72ebcfcda55429c8ac7b4f00fb98359d1f702960a3e7d0b575d

memory/4484-735-0x00000000004C0000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 df831737dbacf99f9638f3e24b8eb58c
SHA1 f91e5f1d9924fcd1275fd3051211b74dad20ede5
SHA256 602b0745eee44c281a30adcbda92c7e1c9a9f2ae6f40b9b2abccfaee007504d9
SHA512 17252a5e854bc057445f5e5b2b18115b3fc737f6af710b7eab1e4b8cc1c1ef8ae6c701a487c6bda01603d5a61514539c76e5ea9f5aa52c76799e2471dc2e8cfb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 bae059a1950026a0219d6d124f563908
SHA1 c4121c040cbf2bece6a2aecd5ede9ff6ee8b0654
SHA256 b8fa8d31021418d5f5411fd8a30f526fba884be4894d8ed7f33fc01da10444be
SHA512 62d495132c14c36eaf5de5c3ea263d4797b2c401426e557ad4efb5c7b0b1158e0c16f82ba3e6a23d152ea90a7b58400889fcf26ee4919515aa5c1dcfdc755c56

memory/1376-1049-0x00000000004C0000-0x000000000096C000-memory.dmp

memory/1376-1466-0x00000000004C0000-0x000000000096C000-memory.dmp

memory/1376-1783-0x00000000004C0000-0x000000000096C000-memory.dmp

memory/1376-2114-0x00000000004C0000-0x000000000096C000-memory.dmp

memory/1376-2511-0x00000000004C0000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/1376-2956-0x00000000004C0000-0x000000000096C000-memory.dmp

memory/2440-2969-0x00000000004C0000-0x000000000096C000-memory.dmp

memory/1376-2973-0x00000000004C0000-0x000000000096C000-memory.dmp

memory/1376-2976-0x00000000004C0000-0x000000000096C000-memory.dmp

memory/1376-2982-0x00000000004C0000-0x000000000096C000-memory.dmp

memory/1376-2983-0x00000000004C0000-0x000000000096C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 14:37

Reported

2024-08-15 14:39

Platform

win11-20240802-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1300 set thread context of 3100 N/A C:\Users\Admin\1000037002\a8675ae254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 set thread context of 1000 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\46065650d9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\a8675ae254.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3604 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3604 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 484 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe
PID 484 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe
PID 484 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe
PID 484 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\a8675ae254.exe
PID 484 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\a8675ae254.exe
PID 484 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\a8675ae254.exe
PID 1300 wrote to memory of 3100 N/A C:\Users\Admin\1000037002\a8675ae254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 3100 N/A C:\Users\Admin\1000037002\a8675ae254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 3100 N/A C:\Users\Admin\1000037002\a8675ae254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 3100 N/A C:\Users\Admin\1000037002\a8675ae254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 3100 N/A C:\Users\Admin\1000037002\a8675ae254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 3100 N/A C:\Users\Admin\1000037002\a8675ae254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 3100 N/A C:\Users\Admin\1000037002\a8675ae254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 3100 N/A C:\Users\Admin\1000037002\a8675ae254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 3100 N/A C:\Users\Admin\1000037002\a8675ae254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 484 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\46065650d9.exe
PID 484 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\46065650d9.exe
PID 484 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\46065650d9.exe
PID 1000 wrote to memory of 1216 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1000 wrote to memory of 1216 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1216 wrote to memory of 428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1216 wrote to memory of 428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1216 wrote to memory of 428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1216 wrote to memory of 428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1216 wrote to memory of 428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1216 wrote to memory of 428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1216 wrote to memory of 428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1216 wrote to memory of 428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1216 wrote to memory of 428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1216 wrote to memory of 428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1216 wrote to memory of 428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 428 wrote to memory of 2044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe

"C:\Users\Admin\AppData\Local\Temp\6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe"

C:\Users\Admin\1000037002\a8675ae254.exe

"C:\Users\Admin\1000037002\a8675ae254.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\46065650d9.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\46065650d9.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec721dba-2944-4c63-8c0b-5a7dc29fe52a} 428 "\\.\pipe\gecko-crash-server-pipe.428" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2272 -prefMapHandle 2252 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ca3f127-1c4a-4a23-b8ea-17ae5c79737f} 428 "\\.\pipe\gecko-crash-server-pipe.428" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3192 -childID 1 -isForBrowser -prefsHandle 3184 -prefMapHandle 3180 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2769cd0e-09c2-4adb-ae9e-402997b45b04} 428 "\\.\pipe\gecko-crash-server-pipe.428" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4008 -childID 2 -isForBrowser -prefsHandle 4000 -prefMapHandle 3996 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5ab2480-1832-4ead-9df1-067b6e0f6a46} 428 "\\.\pipe\gecko-crash-server-pipe.428" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4716 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4820 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51b40630-59ba-4e35-9e03-6b0ecde01670} 428 "\\.\pipe\gecko-crash-server-pipe.428" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 3 -isForBrowser -prefsHandle 4984 -prefMapHandle 5356 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2b00365-8e74-48c2-a7e4-5df03ee0b4c7} 428 "\\.\pipe\gecko-crash-server-pipe.428" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {555567e1-ba81-49e6-8921-145f185e9edd} 428 "\\.\pipe\gecko-crash-server-pipe.428" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5756 -prefMapHandle 5776 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c21c849e-7cc6-4b61-b1bc-921f05684c16} 428 "\\.\pipe\gecko-crash-server-pipe.428" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -childID 6 -isForBrowser -prefsHandle 6092 -prefMapHandle 6088 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5af2d903-afa5-4a25-84e6-17ec16adff2d} 428 "\\.\pipe\gecko-crash-server-pipe.428" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
FR 216.58.214.174:443 accounts.youtube.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
N/A 127.0.0.1:49894 tcp
N/A 127.0.0.1:49902 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
FR 23.200.86.251:80 a19.dscg10.akamai.net tcp
FR 23.200.86.251:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 251.86.200.23.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 location.services.mozilla.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-5hnednss.gvt1.com udp
NL 172.217.132.201:443 r4.sn-5hnednss.gvt1.com tcp
NL 172.217.132.201:443 r4.sn-5hnednss.gvt1.com udp
US 8.8.8.8:53 201.132.217.172.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/3604-0-0x0000000000350000-0x00000000007FC000-memory.dmp

memory/3604-1-0x0000000077336000-0x0000000077338000-memory.dmp

memory/3604-2-0x0000000000351000-0x000000000037F000-memory.dmp

memory/3604-3-0x0000000000350000-0x00000000007FC000-memory.dmp

memory/3604-4-0x0000000000350000-0x00000000007FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 6d0f73b4a2b84bef406470efcd79a990
SHA1 3e76cd04a8655c14330a7392bbeedb2e17f2e015
SHA256 6dc00b02c91a51431b4d9bafbf70bf204de2152ae1391a4e374205939f81c5bf
SHA512 54ba08bb0194c37dbbcf0f017ba9f7a87f370b9378e6191c6f4654c479c89de398e4b467d7506dc93f580d4cb773563eaa3c4da97c46e0b10feda0a82a9a627d

memory/484-16-0x0000000000160000-0x000000000060C000-memory.dmp

memory/3604-18-0x0000000000350000-0x00000000007FC000-memory.dmp

memory/484-19-0x0000000000160000-0x000000000060C000-memory.dmp

memory/484-20-0x0000000000160000-0x000000000060C000-memory.dmp

memory/484-21-0x0000000000160000-0x000000000060C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\b86952c565.exe

MD5 d1be0f6f034c55fc17558f2ae445f1b2
SHA1 6b7f7599af54f730451f8344906acc7d0a206af7
SHA256 21a8a20a3cf2e59afeea5b810da2fd7b132780a8167ab28b0bf8da4d7061478e
SHA512 3e96bbee8cb19b3dc7c45d302f5321122722562f2ad41ce9d61bb34d2fdd65c7eaf133bdb097445df327629b2fea78caa22041ca122884a9ec1758da0288f465

C:\Users\Admin\1000037002\a8675ae254.exe

MD5 c98386f4432190c0c37be9ebc2e19eda
SHA1 fad3e282c5987117de21508674eb3f0f28f958c7
SHA256 6d47e2a31348815e467a4e421edc44abbc0080393e0a9c32608e74757f038bab
SHA512 262864defaf0bc2f8b1e20967725e741fad90b288ea640b33f77305bc69357cf85648264902b03f581f4de95bc7b06ffabf897410efe4abf0b28201f6e1fbca7

memory/5068-59-0x00000000001D0000-0x0000000000300000-memory.dmp

memory/1300-58-0x00000000009B0000-0x00000000009E8000-memory.dmp

memory/3100-64-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1000-71-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1000-69-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3100-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1000-66-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\46065650d9.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2976-89-0x0000000000720000-0x0000000000963000-memory.dmp

memory/2976-90-0x0000000000720000-0x0000000000963000-memory.dmp

memory/484-97-0x0000000000160000-0x000000000060C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\194c8863-0b2a-4c77-a259-56e6315dfd33

MD5 77b3791d443aebd5560a79ec9d0d94d3
SHA1 4013dd6948c1bac769b04c7b13c383aeb96bbcaf
SHA256 261c53b05ff57b7b6b94460c7a26ace2530e1f39ce7e744e4db1326bd86ad0cb
SHA512 9964719ca41fac92109c9d574eaea8ab82bda0329abb0ea0f93c34e62cbb2c5950cfb8d87548f074a9914d4d46641319e0280d31edc77a0ab6e3f509caaf5d5b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin

MD5 f220805f09a46813f9df53c4966d72d2
SHA1 0da9338ca74414f96df10d87f83417d04e341151
SHA256 87483bb807191c5904205210363d657ea89561360e274b3d5c70839a6b2ddcb4
SHA512 d239fd957b301bc5835da6d7f25f0e5ac5907bbd5679022724b853c0a028ca9ba765d81fef337469a6d9ef87bfdd89e7432f2ae9a63f4a1d730d6a34d52b1d02

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\2e1928e2-e2e8-4934-8df5-6d30bba168f1

MD5 231d06b8b8f23b1bad1ce90a0d47b3ac
SHA1 8ce4624eecb46220acf15129f012f56bb28fb439
SHA256 8bddf656254b2335fd766b0e84a2b43bd7cc343297641d1d887dc7ec3bb3ab50
SHA512 f720df527ede6ac66f3079acdbf1e4f67bf7f0da9ac3c98109088ff819d88079a538ab0cb8448fac843c13a6cb0c37d978dafbed0b0847859cb493d688b92951

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\05900276-573e-4e61-b838-b8a59bc97b1f

MD5 2822dffedd003f6daa9a3f3347f1f050
SHA1 0f434d9f601a95135a48012230e6edca39651a0b
SHA256 f0953ee40e4af8ac6b4ac81b3ac1a1682253a48d3ec8ecb020ceb513c6c2fca6
SHA512 b3bad12bd76b069621147e6f85459601ac01eb43b6f57de0faea31107a25a4930d6a542d88f8db73c6096761538257bfb3b52a7559e605075ce1bda1a45f1aaf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 dc6db0bd2f7dc80e8945c44c67fa1f85
SHA1 44d9a2d4c1c07a71aeb5a45daa1b1b85b2816d3b
SHA256 a158e13c3e7bac7d250de5c8087037166b39c4927c0b03e9f4a6f85f4d6449b8
SHA512 425578ccd38dedd1c0c45810452eedc68a9222732b5fa89b972592f0592f7ac784aec7cbd1221596043b707838587e7b488dbe83f24af701a62badccb708292d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin

MD5 a8f2ae8c583a53050f3abadd96e2f566
SHA1 313e82fb5ce3de208db5aa93cfb062e25fadcecf
SHA256 913a5f2c8fb3fd8d3f011cc0b5800245f5abdbaad01ccb22fc5d8e60b30a20d4
SHA512 30cc6a4c6281261d29edcceb8f97950e727e1ba721a5c77e3db65d99a4271cd150d36fde399fc7dcf45c8bc7f95f0c869a4616394cf64c970ee7ca6d145a0550

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs.js

MD5 bd97ec8b118e79872d9c474bed28eb01
SHA1 de6b05edec04441ce954826158b0bb0d1b6f13d1
SHA256 efbc6ade041eeff4cb05a850146b7bca66cf9d8ab52fe4c36c1fd3ca7a585c36
SHA512 de657938621ae80af3c30695e773ce597468ea79d3542008c94249a7f46daa0a3d5738e6882396275ed26fee2d6bb7a699c589a8c975f74b5bbaf8ac6a5f427c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 0cb59d2bfad9323dd3d6213964ea9e68
SHA1 caa2134cd5b050303dd5df7c2417ab0169a76f8f
SHA256 dcf902ad556ab014b28b99d0665bc3273ac0a3ead3482a760af03a1bc6c2a501
SHA512 50406ec16ca9b59e396c05b4ba667b1024b9420d278b7c50dcdaf04d96d470f4db933e7782ef3994ae10062428a9f5874ecddebc8f4f24451d98cf59bf32f0db

memory/484-421-0x0000000000160000-0x000000000060C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs-1.js

MD5 dd791456cc408182fa8fc50e91acae54
SHA1 6cdd7d8aeab6be96d5ac1db01ed42e84684f93fc
SHA256 82c0c3b2dce6bcf34112f879c7eb7eb935abc58c4125809b1d5a94a00757bafe
SHA512 45cb06687a1eb8cae364321087d9c51702b4a87990edfe900e0e72bd254132ab2bd1348416d9098545dd819a1e5a6336713b836833cdc991ba6d8e02a170ab8e

memory/484-459-0x0000000000160000-0x000000000060C000-memory.dmp

memory/484-464-0x0000000000160000-0x000000000060C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 735ede49c8ea9f0711a06aadab896f54
SHA1 46eadf4be604052a9e808838f9c43626f420090a
SHA256 bcbdc885549ae98243fa8443c551350ce589e7f51ef08277322f79b4eca27a8a
SHA512 c7ff265467ec5845fac0626d878653caf2c46be1a69707fe9a11a193e6e54b9e29011241d062774a195f02c7a19ffc9cc53ab5d2cd062086ff96143a452cd54c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs-1.js

MD5 9fe5a8372f763158fdf082d7d43caa53
SHA1 efe329338967a9dc165171b0525945f4237da755
SHA256 3256d498036df81cca7940793b9ffe49fae7ef71387cd7a4bbb6d1abf4ce4606
SHA512 768af1a8cd44ea06eed9b26b53f22b15e223d991020d32d0ac2ddd5459059483bda646cd2b4f4ced44ed0e9c3b902abee3211783b3b8387a21e2b590bcdfc88f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 e7c20e75674352217687e1394f71d7f7
SHA1 ff09141876ac071352decfde5e355ffbb5652178
SHA256 76ae014498f99d024efcab893e6b2886f66f33d8be302a9de504a17dbfa9d536
SHA512 362bdc079d7bc446491582f3505e9d2f9600a043748f2e68c9225806076fc6c071631153d225994c12e58c60415da36e102e3b7f25e09b40d5fa711795f247b4

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs.js

MD5 dabbc195f9fea4bd4c49c1da0c02920f
SHA1 c0562568635a23dbc262485e73c625c8f1a8effe
SHA256 25c732de29967912e0c340e1982e6817f1b9c16364a443404ff2888df8cccba9
SHA512 4d8f490aa3ad40b270381a5b99ea28b095019bc4e7ee374ad8f763eae28ef42ad41198d1138078fe771df6fab231c7a8206cbf8cda6e3443b48a52f7789ce46a

memory/2360-627-0x0000000000160000-0x000000000060C000-memory.dmp

memory/2360-639-0x0000000000160000-0x000000000060C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 b988cf93a180a7790a7b9d81581f6f51
SHA1 5bc4b2553e1b30c7adbfa4690d6cf1f7e75d4fe8
SHA256 ff6a72f81253c6cd8bf7ce5c9937fa5f9bb10fc717459f00e5eb5c049c000969
SHA512 ef3247fbf30aea83acfc0146884d6fa5746c2b3081726ba03f73d661bf0ca7bf3a8c17ba63e5e5ffa150dc4212d32dffa3c07bb56ae51f7f44358d0cf7431934

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin

MD5 94e8cc503e0ebeac948deb6ed42f44b2
SHA1 c79a3426e3892cf5c29b923c75b5bf11b24f909a
SHA256 e465f5574464fe1aa8f0f8a9aa34f1417faf11e03a9d2d03de88d184442fd4b8
SHA512 5520468c3647b054d1406c34aa50f2a400d3b39314a8a859fc604c4572907dce0d8f693e8a1bbba780d85d53cfb55a086de3757466fa1cc37b96cf50edb22586

memory/484-692-0x0000000000160000-0x000000000060C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 435f9e6d9d2e5dc13c902cfc02dc09ba
SHA1 db251630da7375400b30ac1e8dc925f4dae500f9
SHA256 5540adb52e99dbf455ca6d08312294f2326a179041ca1a3a0c7b56049fca276a
SHA512 c4f7bfa633cd9722279952cf1892b8b9d64d31e4bc29fa6ff8d8d741c3bcbeb4c1c1ea0b4a2425a691a6082921e157a4eb6e4ccb1a0fc54b652a364b21e542a7

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/484-841-0x0000000000160000-0x000000000060C000-memory.dmp

memory/484-1771-0x0000000000160000-0x000000000060C000-memory.dmp

memory/484-2656-0x0000000000160000-0x000000000060C000-memory.dmp

memory/484-3187-0x0000000000160000-0x000000000060C000-memory.dmp

memory/484-3191-0x0000000000160000-0x000000000060C000-memory.dmp

memory/5924-3195-0x0000000000160000-0x000000000060C000-memory.dmp

memory/484-3196-0x0000000000160000-0x000000000060C000-memory.dmp

memory/484-3197-0x0000000000160000-0x000000000060C000-memory.dmp

memory/484-3198-0x0000000000160000-0x000000000060C000-memory.dmp

memory/484-3204-0x0000000000160000-0x000000000060C000-memory.dmp

memory/484-3205-0x0000000000160000-0x000000000060C000-memory.dmp