Malware Analysis Report

2024-10-18 23:40

Sample ID 240812-fn5k8s1bqf
Target 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd
SHA256 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd

Threat Level: Known bad

The file 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 05:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 05:02

Reported

2024-08-12 05:07

Platform

win10-20240611-en

Max time kernel

300s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\445fa0a4b2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\445fa0a4b2.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 832 set thread context of 2104 N/A C:\Users\Admin\1000037002\d97bf81a34.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 set thread context of 4304 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\00a5877a53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\d97bf81a34.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2376 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2376 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1908 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe
PID 1908 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe
PID 1908 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe
PID 1908 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d97bf81a34.exe
PID 1908 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d97bf81a34.exe
PID 1908 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d97bf81a34.exe
PID 2676 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 832 wrote to memory of 2108 N/A C:\Users\Admin\1000037002\d97bf81a34.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 832 wrote to memory of 2108 N/A C:\Users\Admin\1000037002\d97bf81a34.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 832 wrote to memory of 2108 N/A C:\Users\Admin\1000037002\d97bf81a34.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 832 wrote to memory of 2104 N/A C:\Users\Admin\1000037002\d97bf81a34.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 832 wrote to memory of 2104 N/A C:\Users\Admin\1000037002\d97bf81a34.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 832 wrote to memory of 2104 N/A C:\Users\Admin\1000037002\d97bf81a34.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 832 wrote to memory of 2104 N/A C:\Users\Admin\1000037002\d97bf81a34.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 832 wrote to memory of 2104 N/A C:\Users\Admin\1000037002\d97bf81a34.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 832 wrote to memory of 2104 N/A C:\Users\Admin\1000037002\d97bf81a34.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 832 wrote to memory of 2104 N/A C:\Users\Admin\1000037002\d97bf81a34.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 832 wrote to memory of 2104 N/A C:\Users\Admin\1000037002\d97bf81a34.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 832 wrote to memory of 2104 N/A C:\Users\Admin\1000037002\d97bf81a34.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1908 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\00a5877a53.exe
PID 1908 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\00a5877a53.exe
PID 1908 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\00a5877a53.exe
PID 4304 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4056 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 3192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 3192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 3192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 3192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 3192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 3192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 3192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 3192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 3192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 3192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 3192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 1660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 1660 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3192 wrote to memory of 3176 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe

"C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe"

C:\Users\Admin\1000037002\d97bf81a34.exe

"C:\Users\Admin\1000037002\d97bf81a34.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\00a5877a53.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\00a5877a53.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.0.19618515\652589225" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1652 -prefsLen 20845 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {070a6be1-ecf6-4dd9-a9b5-5ab269c7b113} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 1764 2246ebdbb58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.1.1101292760\478660733" -parentBuildID 20221007134813 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 21706 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdd798b3-ae81-4337-a4a5-001753a6db5b} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 2140 2245c872158 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.2.1422336327\878201955" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2796 -prefsLen 21809 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {484b2c63-a3ea-4af2-83d1-ec57f7b6d0e0} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 3040 2246eb5ce58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.3.794031687\1621949624" -childID 2 -isForBrowser -prefsHandle 3320 -prefMapHandle 2464 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ee19dc2-4ccc-4510-91fb-d98caecb6bb0} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 996 22473064a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.4.1683067599\460580353" -childID 3 -isForBrowser -prefsHandle 4708 -prefMapHandle 4692 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a64049ca-e622-4596-aae9-c069d4b04358} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 4716 22475c76c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.5.695800744\1999302700" -childID 4 -isForBrowser -prefsHandle 4952 -prefMapHandle 4948 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fa3a6e0-5134-4e68-881e-41bcb8fe4110} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 4960 22475c77258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.6.1521049519\553312737" -childID 5 -isForBrowser -prefsHandle 5100 -prefMapHandle 4968 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e50958ed-7ee6-4893-a65a-3406b9dfe4d4} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 5088 22475d54558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.7.1782515130\1096917961" -childID 6 -isForBrowser -prefsHandle 5448 -prefMapHandle 5544 -prefsLen 26529 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {740ae149-2aa6-42b3-80bd-3dbb1747fddf} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 4892 2247713fb58 tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49855 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 200.110.239.44.in-addr.arpa udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
N/A 127.0.0.1:49862 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5---sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 138.163.125.74.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp

Files

memory/2376-0-0x00000000011F0000-0x00000000016BA000-memory.dmp

memory/2376-1-0x0000000077694000-0x0000000077695000-memory.dmp

memory/2376-2-0x00000000011F1000-0x000000000121F000-memory.dmp

memory/2376-3-0x00000000011F0000-0x00000000016BA000-memory.dmp

memory/2376-5-0x00000000011F0000-0x00000000016BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 b2f0d9cde6cd1f83091b9f2a6875e6a9
SHA1 a7bb83cc3f9edc38751ba908d3e0bf393dcfdfc6
SHA256 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd
SHA512 51bae1077f202a997dbb78e3ece8cf14737362aaeb0e263917a0ba44cfb89cee3b2532c2e5db88151e07c2c8f644be5a4fc3cffb4c6a7f202ee58812afae5de6

memory/2376-13-0x00000000011F0000-0x00000000016BA000-memory.dmp

memory/1908-14-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-15-0x0000000000861000-0x000000000088F000-memory.dmp

memory/1908-16-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-17-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-18-0x0000000000860000-0x0000000000D2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe

MD5 db946418424011c782182c76ab8c179f
SHA1 d640d54d341cf6341bd434c9015d23d22156612a
SHA256 bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512 a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

C:\Users\Admin\1000037002\d97bf81a34.exe

MD5 62c81eb8cd78dbcf5767f84caad6972e
SHA1 9a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256 166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA512 2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

memory/2676-39-0x0000000000960000-0x0000000000A90000-memory.dmp

memory/832-44-0x00000000003B0000-0x00000000003E8000-memory.dmp

memory/4304-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2104-47-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4304-54-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2104-51-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4304-52-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\00a5877a53.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3584-67-0x00000000011F0000-0x0000000001433000-memory.dmp

memory/3584-68-0x00000000011F0000-0x0000000001433000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\e7f69535-c382-4282-8fca-7f272ad2b08b

MD5 8eb5dac91382eada115a2d7c506f8de0
SHA1 c89a803a204a90cf07b57acbb245d3371c95c95a
SHA256 55ef004d98fb9c9fc4ea73e55ffd554190c8973a5a18ea8009d4b5c053bb5899
SHA512 165867cb7eba8b9adb3e74a9f298901768ac6edf29f78212ce07ef5000cf8e8d6815af3c9048f565c7b2ebba261302b72ad2e9a771fa3b0d3baf58f3f18aeb3a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\e175b8a1-6099-4d69-a76a-781f3eb0d5dc

MD5 7b47b0e42a336407b8cf5d4f314b485b
SHA1 cf61d0941230bea56173595e8237ec1d7b57aafd
SHA256 356f4979450f5390bbedf168f00e00bc33a802b458ec94bf4a034e73fc9ef826
SHA512 ac1e84f39b9a3daee5b97d62c3a2489b7f43b97731d0f7ea3b88e1b271b3b1fc512b81d33f42eb89cfe9c18ce4a6d774b8d71ac5fc61732f29d814e19ba2de6f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

MD5 c2cced1d7aa1ad750047f4c020d8bfcc
SHA1 c6055b89e52ccac5cdf52ec8aae8e1c2c03088ce
SHA256 c480c6a2c0672c121680db26926775a37b402d7e434b8390119ad872c17b469d
SHA512 7f40892814764bb079d8b41c33742223d23649c901d463cb0bf9a41c0e73da3c6318245f744b8829ebb0f1c05b6258d5cff8284bbe9f8022caf0fb3b2ecf8fc5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

MD5 851cb82269f00d289553c1447c7b9c58
SHA1 91cdab107b3fe885a1b41d67ce956190470e9a59
SHA256 bf7282998779d72095775f6c1a6a0c1dd3154fe8df9198fccfd8bed7c654ead0
SHA512 5bb6a3c97e2a73af139efe5942e4d3183fc543f683dd41ef760e52af49d1cff5e4c02702d5bf4b24a9733f42d148cf904411b50efa7929a07f84c3354034c466

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

MD5 d748aa903bd5ecc6b4d26dee23c88cb5
SHA1 261d184847ab1d3de7871e5c4af723217980d590
SHA256 c9d52b3fccdee15501fd916b79365d0af36ddeb5f806a3f4393a2c62cfe149ca
SHA512 0b4a181cbb29d50299f1872ce243b13a17efc7a876261158d1f41ed6f75a0a9a9398ec5eeadd8e108e5ad88dfa619510c9141a95b04b37f3bb8578afbe22aeb7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 4c1f58aca80b52032da4ac4bee4ce462
SHA1 9ce602c07d2e23aebc8a60043c1e530197c6b04c
SHA256 84b09dcc0173819e4e0f7e70560d18b08b7588e87a1243a1331a8e8cee3ce372
SHA512 60c5f8e824fcd032d05bbc1cd356ecd3d53b7952283670ad5b06f548d1ffd330400af830c44b0400de1eb606c893af4f53b5165ba7ab7b8ab19a3bedcedfe83d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

memory/1908-194-0x0000000000860000-0x0000000000D2A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 da8d649e80251e5aea3385e1556c8c43
SHA1 2663b67d9f253ae19f79ebabb4362db2eee1bab4
SHA256 42ef1f55a030b61bb317376cacead743edf464a826ca5665bd4873cc18fac779
SHA512 5d11ccff32dc4f6e5575c65270cc7e9e8d3e39cb9d719c02307593ae23f6cec76c61af38a38cf9e7966592be5994536c312368cdb27b3af038475bf294ce53d4

memory/1908-259-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-269-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-270-0x0000000000860000-0x0000000000D2A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 f6ea354907746df9dd80ec9ed4c83653
SHA1 b23e04cfa0daca79f316fffde8e93494e074d61d
SHA256 d62bfefa2cba7650effc22e472645ed6125f3f0ac294af93d6e5de6cfffa9a30
SHA512 139f4afacb4ee156d7bf7fd5abcb15e86927053d3da7ba8e61caaebd3b90026d4f45f87cf1e2bc031eb54d0d426d95e707e64186454e3ea68b5e519cc3cd704f

memory/1908-276-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-277-0x0000000000860000-0x0000000000D2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 4067c76945ad26046292a71176842f03
SHA1 a88c0e5380eb8cad6819b1c0438ebbf0290e2bb6
SHA256 e993a03aa88a21a20330d190c1e7bda88390ed6e01c2574d85b55e6431e0f652
SHA512 c2dd79d421db188b78805f91c7df0d617ba0402cb9f5256790b791925f85dfe2b267485de3e6954942402dd86c5f0ffbd8c7acd49d4d1da40573130588fa4b10

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

memory/1908-352-0x0000000000860000-0x0000000000D2A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 cb6eaa309751919d2f146ebb6b7b980d
SHA1 ccc40bf1ea7107ea934034b01d5b6ac0e04577fe
SHA256 0d39b8c8223863b694b543482464db109ddb975aae9189d5387df6b4ef7fa497
SHA512 7d045d77ad47947ae526eb59700355882860a4b245c58add2adf871ab1a3375ac73c9e64a92722f3cff571989514ca48c80f0b660045bce15dfebc96427dcd6b

memory/716-362-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/716-363-0x0000000000860000-0x0000000000D2A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 792a9225c20ba7bee624f485d35b2dfe
SHA1 4d187d56649087d735626221ce5c1cbf4f65d6e2
SHA256 79fa15f6bf5b35d7ee0b1f13c188be35c8f1939de7b08534c1c1a6f22694d728
SHA512 337669f8ea6723711080ff3a3523592b8ab036ea85a0619805602c9702eba231c32cde3e6c167ff8964ea147e237be626b1bdb2b178c565b94ca9c034de6de3e

memory/1908-374-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-376-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-381-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-382-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-383-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-384-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/2812-386-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/2812-387-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-388-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-389-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-390-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-396-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-397-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-398-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/4956-405-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-406-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-407-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-408-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-409-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-410-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-411-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/4740-414-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-415-0x0000000000860000-0x0000000000D2A000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

MD5 8bd42b1079076bbe8a3c2e738518ac8c
SHA1 170c1db96c59d8d0c74f7d7fdbb371a587abdae8
SHA256 f3132d1d1ce636f5f04050c1e583ca932b9e556e81c2d8afe7e13ed5e7d13de9
SHA512 21f4385a504363dfc0014abdd8b1e1cc249f79ac06422bc6feae25ff594b3d444a85f844653e4e7ef5af2650083d67c7f50ceb303579c6818301ef4856a6c5f6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263

MD5 68968659f79a5aec142dab2ec004cb93
SHA1 ae015f484fe1dc0b20c8eb71af16390f7c56da03
SHA256 7b94f8092ab8e74155171d5344ba8737ec0380128a88e1f0f6c6b64a6863a29f
SHA512 266d58a8160c92da21053c3db12a97b26d40cbbec14d65dff48f3cf9d2a13bd4db246b07174d45ee09c34c28e86ea0f8d781cb13bec227e20856528a029e2c7b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

MD5 193b93ec2f42f5bae489f61ed1602433
SHA1 3b4eccd8f40a08ee86cd0c6a84cd902edacf4008
SHA256 6e01ed9e60cf205d3075e10c222314385dd52aec9908e39eac38c78771e91d68
SHA512 2e1331ce0a06471bdbcc6fad2b63c8ab78d1c5089692fb9c6ba3eaeaa9e8b831f684cb1b584425c52e052bdf0fe34b6260275c1e8b3733ff84802a67e9996f7e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

MD5 aa5fc5770f44440cb78299565d31c268
SHA1 0c7cbdb9c09b368ae0cb6205e4c64ee604b6bafe
SHA256 13d8650cfcd6e18fdf6c5b9a9a13436a906510935d981fa2f412aadfc866c6bf
SHA512 810d62549624a36cb9365d0d58e9faf6e6f11f5bca0a696207ba3543baea998fef799fe29977df2cfbe6696dffe440baf4866e0750448cce95d5a98ff04938f9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

MD5 04222f80e7f668fe6cb5abb2acf2de55
SHA1 6d5d768eea5845023a639e280f1a50f33285323a
SHA256 7dd188c29e4731db706c9c995e92a42a50f8c0fb0566e42bb353319a0b7383c1
SHA512 520731a998038d10c5ffa65a165545e7cb15358fbf90f9245073e176ffa8bf0e8fd658c466d2c0ed4d497eeb6c5d06b336b198849d1c3719bfc2f79cf82f7ae5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 b3f0484972145486d9d48812126b3ae9
SHA1 e722b538026a854ab97afd41e3640bcd6a1ccc2f
SHA256 ff7634592301e774e3faf6a9a62902d3a9de0a0223786fe9bc90fdd71c8312fc
SHA512 cd7bd0c3c93329aa4ce09f769deff22160f625dd21d254013137e999cd49e260050ca4ac562a2c74706850ccff2867b702729b78caf05b0adef1917fbe9666a0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\54075BE4BB4CEC68713D2AC66A9955D8EB1B7384

MD5 03d4bb994b34199f9d4660b95c94dfe1
SHA1 d924323ce6eec4237e0e10b87096c5312eb05a39
SHA256 3917c00b0dc29489213f0ae3863935bee9b79a95aa6bcb75d84be5a3d4cd131f
SHA512 3995fbd42a64e1f0065b2f945391f4800464cb8990ec227273a10f3fc0d436def57f6fb9dcb2747dc36f19093831829abba02cdfef6474b3644f9804165a46ca

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

MD5 325f5e16d84528b677d98f2b79ccd63d
SHA1 2528f4a3f759a424a87d3bc769ef7c8deaea5250
SHA256 8c4f3969ff34b500255257b852b171350dd68d6cb01ceae162dd44dc176122a9
SHA512 894dad44183358c95b6a52f6aa090a98236dc8aa8b11e2695f0777d42f51c5bb41339b396c8a357821c7a187e0ff3c690cd0e65fc13d20d1aebfb805b590e432

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 acbdc382f38de38a5495c914f7fe932b
SHA1 047f1a1efc23947655b9bb7a9ad5a78329463f06
SHA256 67c3cabb021990f076dd487ba808cb051c6cce45bd5eb5169e7c2ef7d5e621c6
SHA512 ed328d4d8ddef5f3b701baf1fc84153ad69be7f18b8a6c4afc1cbea5506eeacec4b24c382201e9b7e137b3e2301dccffce1020bd4c8c2acc93bdad50c0ca05c4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 556188707146e39beffee94f3ef47eb8
SHA1 26d3de95b90635525bf7362d9b742d793e454c80
SHA256 f86551698b34a6fcdfaebe38529d596eaa06d3e63552520f1138e3a00833c88e
SHA512 180e15a7f6231ef02cc6ddfcf2d5578b7c69cd936aa41f19d22f93309cbb4c1339ea68c98500e693b7d384c27fccefdd1eb37cf7e050c9b0d0e029dbe8b3f447

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\targeting.snapshot.json

MD5 c8645ab5ca9cbf9b935755443884f23a
SHA1 7e0b69d3c0b3d6568aba62f83f01b2a4bbdec1fe
SHA256 0f569c91685fb13de271a2e04a0061a72192d447e9ff5ee73a56f876ee67be6f
SHA512 0360c0e0ea147773eccdfbffb7650b29db53f2fc3b0b8327f368b1d2514c37557a75aa1e408665da2c126720c487dfcb10d3fa95165d7892bf3e39ffa04974d9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

memory/1908-492-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-496-0x0000000000860000-0x0000000000D2A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 8d1608192f86fa02da06a201581d83b3
SHA1 d4a2a67feb97c94b2483701ddf4d4a357af0b5e9
SHA256 80357437cbf3956dc51104ec36495f1ce9fae74b5cd39b9eff9df34d57c16f64
SHA512 541ddec725992e88063f9593b9da22945e176e5fa864cca5fe6d4dde59a956324c553456813b2ac3d78ac4d68ac1e4e9dd347ef6ea27ca70f6a07932eb0508d2

memory/1908-507-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-508-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-509-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/3644-515-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/3644-516-0x0000000000860000-0x0000000000D2A000-memory.dmp

memory/1908-517-0x0000000000860000-0x0000000000D2A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\bookmarkbackups\bookmarks-2024-08-12_11_f70S+BIHcjdozL1H+8sV3g==.jsonlz4

MD5 14e152530b0003973263fd54064ea363
SHA1 98a18c46e4980317a1f795bb0f364f02b7524f06
SHA256 98818f8d867aabab23dcf95b03d2d912fd8d6106f1bf48e1f04dc9b5af42f199
SHA512 21a75ea8970d68bac8100f499d88b38fbdd904d5217e69492f10f63c9026f43f00508fc62e059f54f82d7a1bb6c16b15f14b281c87542613ddd20893029ce664

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 05:02

Reported

2024-08-12 05:07

Platform

win7-20240708-en

Max time kernel

299s

Max time network

291s

Command Line

"C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\9267c7b48e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\9267c7b48e.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2604 set thread context of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 set thread context of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\c284c30766.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\613bb19e7e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2304 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2304 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2304 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2692 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe
PID 2692 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe
PID 2692 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe
PID 2692 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2692 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\613bb19e7e.exe
PID 2692 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\613bb19e7e.exe
PID 2692 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\613bb19e7e.exe
PID 2692 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\613bb19e7e.exe
PID 1796 wrote to memory of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1084 N/A C:\Users\Admin\1000037002\613bb19e7e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2692 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c284c30766.exe
PID 2692 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c284c30766.exe
PID 2692 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c284c30766.exe
PID 2692 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c284c30766.exe
PID 1864 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1864 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1864 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1864 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2676 wrote to memory of 1480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2676 wrote to memory of 1480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2676 wrote to memory of 1480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2676 wrote to memory of 1480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2676 wrote to memory of 1480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2676 wrote to memory of 1480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2676 wrote to memory of 1480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2676 wrote to memory of 1480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2676 wrote to memory of 1480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2676 wrote to memory of 1480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2676 wrote to memory of 1480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2676 wrote to memory of 1480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1480 wrote to memory of 1272 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1480 wrote to memory of 1272 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1480 wrote to memory of 1272 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1480 wrote to memory of 1668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1480 wrote to memory of 1668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe

"C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\613bb19e7e.exe

"C:\Users\Admin\1000037002\613bb19e7e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\c284c30766.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\c284c30766.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.0.376908202\435434635" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3cd3162-6f11-49fa-b1b9-111c34bcf6c5} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 1276 123f4b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.1.1189140004\1778891705" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23f48568-0508-4aa7-95ec-78ea172b60d0} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 1496 e73058 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.2.721844314\1961400216" -childID 1 -isForBrowser -prefsHandle 2068 -prefMapHandle 2064 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92fa0411-bcfd-4356-a71a-5706a53b1e6d} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 2080 1a58a858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.3.2028683650\1882709280" -childID 2 -isForBrowser -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c75441a-2fee-4529-9b5a-9dd2bab92f39} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 2916 e62d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.4.1500050912\119562157" -childID 3 -isForBrowser -prefsHandle 3768 -prefMapHandle 3720 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b47eadce-6d0e-4fd8-8bfc-63d5f331d4d7} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 3784 1a789558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.5.1955781134\735157703" -childID 4 -isForBrowser -prefsHandle 3888 -prefMapHandle 3892 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a09adbf-0d2c-4be6-8915-cec29a7f5e1b} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 3876 1f5df058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.6.1178332260\763669154" -childID 5 -isForBrowser -prefsHandle 4044 -prefMapHandle 4048 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b53c8b5c-1e6a-412a-b7a1-468d3a7a322c} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 4032 1f5e0258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.7.381959050\1909578793" -childID 6 -isForBrowser -prefsHandle 4324 -prefMapHandle 4328 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e6956c7-827a-4db2-b92b-35cf1ea25634} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 4340 1b892a58 tab

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49296 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49302 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5---sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp

Files

memory/2304-0-0x00000000013B0000-0x000000000187A000-memory.dmp

memory/2304-1-0x0000000076EB0000-0x0000000076EB2000-memory.dmp

memory/2304-2-0x00000000013B1000-0x00000000013DF000-memory.dmp

memory/2304-3-0x00000000013B0000-0x000000000187A000-memory.dmp

memory/2304-5-0x00000000013B0000-0x000000000187A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 b2f0d9cde6cd1f83091b9f2a6875e6a9
SHA1 a7bb83cc3f9edc38751ba908d3e0bf393dcfdfc6
SHA256 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd
SHA512 51bae1077f202a997dbb78e3ece8cf14737362aaeb0e263917a0ba44cfb89cee3b2532c2e5db88151e07c2c8f644be5a4fc3cffb4c6a7f202ee58812afae5de6

memory/2304-14-0x00000000013B0000-0x000000000187A000-memory.dmp

memory/2692-16-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-17-0x0000000000DB1000-0x0000000000DDF000-memory.dmp

memory/2692-18-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-20-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-21-0x0000000000DB0000-0x000000000127A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe

MD5 db946418424011c782182c76ab8c179f
SHA1 d640d54d341cf6341bd434c9015d23d22156612a
SHA256 bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512 a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

memory/2604-36-0x00000000003A0000-0x00000000004D0000-memory.dmp

memory/1864-38-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1864-42-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1864-40-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1864-52-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1864-54-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1864-51-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1864-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1864-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1864-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1864-44-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\613bb19e7e.exe

MD5 62c81eb8cd78dbcf5767f84caad6972e
SHA1 9a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256 166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA512 2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

memory/1796-69-0x00000000011C0000-0x00000000011F8000-memory.dmp

memory/1084-71-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1084-75-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1084-85-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1084-83-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1084-79-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1084-77-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1084-73-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1084-82-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\c284c30766.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2628-103-0x00000000011E0000-0x0000000001423000-memory.dmp

memory/2692-102-0x0000000006500000-0x0000000006743000-memory.dmp

memory/2628-104-0x00000000011E0000-0x0000000001423000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\datareporting\glean\db\data.safe.bin

MD5 266240a5c838b08e9427a8bef25d9bdf
SHA1 3e8f650c2518f5e77972e469023bbbcbb9d78238
SHA256 7dd24bbd2a61d86c86079e986a3321d755e08b582ea9296fcf78972140512547
SHA512 c5572e091193dcfa6371a63056e0bd83c46fb1fef656fce07803e1e2c46f8a5aa399bb459817220658bb9381848fb00b4d5c1a07fb6c0cbd54883d616f59d010

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\datareporting\glean\pending_pings\37a6ccc4-79c8-42da-8448-5c7eb7c7d575

MD5 62e2ea56f66187ae7b0af72a56ad5d4a
SHA1 e2e9e383108ac54c7618a8874bc1d09a7428e7cd
SHA256 a506c57db5d04b7c0eee5f130c1e303dc650af3eb211a86529f9bba502040875
SHA512 21a3f625f4aded3b9dc077eef0be0ab6a96a2592977ac0edaaa3e204740cc8f3d77df5390de705ecc99cacee56b176e8aae741206fd6576e4c8cf9bf6deecfc8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\datareporting\glean\pending_pings\fa5f9d06-db10-47ae-9f96-8365f5f47e01

MD5 45c95b9affe0c7dafd25079b6b58fe01
SHA1 598441fd16b5a05ceaca0281b84f5f6ff186a70d
SHA256 a8daae2e7dd62e7f87a48fed3a2b8da22deb5ce471dec79ac1e60ee7a0476f31
SHA512 318e04aff44173826bf715b5961922312263dc681693613b447ecdf0afdb1ca201de52074789c356498f1e2920f0e15ca257989467bbac0040f513bb0b3cc44c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\activity-stream.discovery_stream.json.tmp

MD5 a6bc39c0c3ecce8e9a446b69978616ef
SHA1 91e53afc47f7f63278471a0becfcb6485b0c1d7c
SHA256 a70742bc199c8953ef451417493651b309c0a4b9eea731eaa4411df8db2bf1c8
SHA512 430cf4c7e23f7050b1664cfb7caf4f5daab88abf0f20f801dbd4042fbf3aaa4627a8aeb891d58d0e5b70d0f2c0068fb05de721633ecc12a5a55fc995c97646b2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 9d94688c4d7b1c97564802430b389174
SHA1 36965259e53fb3f753e57bfb968dc2b8a6a642f7
SHA256 d7614d843ef0a8f02f506ad4d829b65322deb08c23a14ce07b13c3c7ad7808c8
SHA512 14f93edbf9aea1a7422a97414c2a3776e5c3aa4ddd0cbb19ad77f85d593508fd76def100597b6b1ca3ea4b0e817857bc6aa8cc431c752b25f9b63e01b57ed4a1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs.js

MD5 dafec63a4fdbc587c569316f5060667e
SHA1 b233fcfe6b9a20d15d17628dc3ca3d93d7120095
SHA256 48778b34b81a4118903b040227e4f8a8efbe598446b739c63fadb4093432e7e3
SHA512 a88f76a8eae3fd88f806628a1e592e775d8c071822d1ccd4b1f97bf913340fd56d802278c7cccb120ec300d89adf892ff4e00ef8f979f2e9cad4aebb2209f803

memory/2692-213-0x0000000000DB0000-0x000000000127A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs.js

MD5 42961517d5a0348d6b1d84c45d3d8a1a
SHA1 fb3c72637fca303134181fabb0ab4e009610c6ff
SHA256 d36326ad3e0aeb8d6e23aceb743e5929c2ad03a003cdfe666a4e23e4085666ed
SHA512 00136d233c0f65bfb091417458550adf059615afb333fb84896118215269a1e6ed10f2a6cf15f1aaac4758d3d7569ede31b6249d694050c686a8602588344734

memory/2692-250-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-251-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-257-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-266-0x0000000000DB0000-0x000000000127A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\sessionstore-backups\recovery.jsonlz4

MD5 62d45518d7c2934fa81c447655a61959
SHA1 02c65e3d191dec5345883d71db2cb1ccc5eda7af
SHA256 3c2b0a4f1257d0ffda09cf6b1052da90f304b0b270caf821ae214b78a6bbfc6d
SHA512 ee372768f82622b850b2e35dfee0662a6d56eceb828cfb3ace11ff27af999bc6533a7d3bc425f5eda327bbcfba527460751e62d19207caa267da7fd09db3fbf0

memory/2692-274-0x0000000000DB0000-0x000000000127A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs-1.js

MD5 57c45527e982f9fb75ee539771e7e621
SHA1 cd3a711c552aa24af2e7fd624a235436c848cad4
SHA256 d74407ab55b4ab53a8fb90673a44583c4add2e1f318288db8f52ba38f6b6d37f
SHA512 ba55f7bfee7417d657a0abfc104b21d9225c6232b84445cac839bf36fcf66c2fe15b10b2b03651a210ef0b5d984a48bd7d49c7500975a9f9003a96a0e0f34cc4

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs-1.js

MD5 e7703e0cc863fa9624b187a51c595fcb
SHA1 a06b73dd7940551e77796af55a45e09ceb61c1e4
SHA256 15c07dbe5d5caf4c53a4e7bcf081bd445b3a8e1a98468d4fd8386ac9f5c1e5f8
SHA512 128ff1c729ba9e18fd39e4831ee4a2a0faf9e4119ed6cbc4feba859dfebf9d21066874fde1c668489bf8d1be38ca0714551d753bd1fce1cd49f4547c4b2981cb

memory/2692-354-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-358-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-360-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-371-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-374-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-375-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-376-0x0000000006500000-0x0000000006743000-memory.dmp

memory/2692-377-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-378-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-379-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-385-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-386-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-387-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-392-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-394-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-395-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-396-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-397-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-398-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-399-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-400-0x0000000000DB0000-0x000000000127A000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

MD5 ed2206c31c18c206b287ef8b2e5207da
SHA1 9878fc226db2caac66b3fcfdad2f1cff7cbd6318
SHA256 15d1f1d37069811fc3f53467189c8c5cc37fe631469810f83d292f6b83230ab5
SHA512 797862f00dec0fe10fb907b98ddacbc2ea3477aab2669ada903fdfbb6df1a2dfe7107972e1de486d9d8079b2cb1f1ee14f70205d6e6e1e2fef234f19bf7be18b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

MD5 3c7567054b3c8aa7a624bc9ccc852f48
SHA1 b0d3d25de1d04d5fcab8bee269081eda1f90f99b
SHA256 2542c92499179deb684ed8d3d7b1a8479f62c9322587515952b1468dbf89a5c6
SHA512 0f4f25c156d07afccc575247ad3ea7bdf731d8964a18222464a9bd9ad59b46db15371305d4c2e3f4f5c1ce18d3e0cacf8fc82648af3a12dc94d656babd2d2b1a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

MD5 941c6bd9c75b038225325589d10972ef
SHA1 d6c86c6f80ab14dc9fa2e3a416111e222db6075b
SHA256 d918ddc672f5fbb5ead8980573de87776dc02fedc2d3c277dbc672611ea70b32
SHA512 160205d0348a456d033f8043b3d09c188410d8864cb86595bbe9c63d07a2798d3cabcf60bca2e71c8aec4ef4864acd44bef46714715f2d84066e7cfe07b94ffd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 52ff28c03bdb5dfd597e20f409a5e1b6
SHA1 4addd89cfe0a818bf5777d24ecc0f77610891fc5
SHA256 60001f451c49b588f7cce20d38d73ffa072b144f5e0cdf8e627395fef1b63257
SHA512 5a9d46b38f51630e28ff27b9eba34e7d645abac3dd34d88da192ac7629039951534f3cbcdb89590aa213dc1f898cbda7e52cdc7296fe01cfb8bd22bb0a77c21b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\1A495955E7161F0B821C21A824220FD399FC7DBC

MD5 a535f811409769da84fc08b3dbc4f931
SHA1 14bda2f40d6fdf537574141792ad3e3d0068f848
SHA256 ac9c142af1c9585018fb0cdef08d0f87b0a64918f4c636e4ae33d74f968195d4
SHA512 af688f51a48c2b6a0a72c86245423303de867748c62749e479ce395f741640b9efa0f9a8f3ba1c1c3af9d7587cf043b492c92bdd3e29781ee11b4f36b9651f7a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 cd7fb359358df14ef91f86018914e6ad
SHA1 813bd634c9fca5717bc0840a4e66a5bdb1e761e9
SHA256 6f75fa324b0a0b961bd41ae29c8b16a3c0fa8e5b2ebf461ab3ae6bc33e7aa09b
SHA512 ebee7ee3e8babdbd7a5bf85b38ae8b83ca0f8c354ca948bbd9ea3ebbf9c42a74703433f058348e2fea28cb1c583c42a9bdc2ce5919b58a3feba2907d816e06a9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

MD5 856d91c4110fdffa7c458033d0fb2e0a
SHA1 19823fc36d1032398705a5f6d0a6d04963fa46a5
SHA256 df8e1a314b0e72e14316fa20239ffeaf10849f6752a863a4a3116b855db9ed67
SHA512 313df35e30e1a457afa8f9f332424f2e28b52c29ccfff02ec622a638fa3712141ad0a014334acc4b71cb732e010cdd6af748d01cdf9a2fcbba03261f49424ecb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs-1.js

MD5 7332e2c4c075067c221735f83e46c851
SHA1 e4fba4d0baac24b679a1c5079ceaa49238661ff4
SHA256 2c23c998db5595f123a208fd69ba7e6cadd7b483c624dd23f271f65e6277e05b
SHA512 32d4f0d75e3fc7950a4ea9a3aee6fad64ca62915f2ae75d0da9b8e6c873e0e8989a0c06028896439b04f0adb712fe283a4e9002db0da3f2d34124660b6fff02d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\targeting.snapshot.json

MD5 667557fa7af954f455c83b70c135ff99
SHA1 458d8b40e80ecfc4aab08deceaf68f4812ed8a39
SHA256 d02f017638fe963c688c265b410dc3c319c1e84cdb43b0f339b18f64e3b5d749
SHA512 b24da66038c81464707b193ea6cdcfb76feb794e3bb93adcb7cff4b728a17c361257831237c7b1f14daa1b37e39763e5eb825274779f40da0d28a603e39abd63

memory/2692-465-0x0000000000DB0000-0x000000000127A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 5073a8a704f96a96e9a30a5d441cbb90
SHA1 ad685b7311e529890a30e4d63d21d57ad01540b1
SHA256 9844a81a4d837b34724fbcc7fd46d59968b205481d62fc9141ef344d8f0f7c58
SHA512 ca46c7222ea6fb2ed8a044c14c5acede2b4d60274b8ed5ebfef5000afde0e0a08569ca7e2dc1cfa4fe52ed88f96339a0e4c3c147ea663b9c9a74be049eca66bd

memory/2692-477-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-478-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-479-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-484-0x0000000000DB0000-0x000000000127A000-memory.dmp

memory/2692-485-0x0000000000DB0000-0x000000000127A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\bookmarkbackups\bookmarks-2024-08-12_11_CbmwIF9owvsCs8vtVFuz+g==.jsonlz4

MD5 e4eda0553a9a2b8ddd9d4a1d368365a2
SHA1 78c066fc1716b0cc7882ebfb1b3eec6373aa7246
SHA256 c325c54478a203494578b723200002225ed06b3905bb9596cb8d657372ff250e
SHA512 65a16309c4bf12f503ac8a88180f269ffd949743f7c1ab6139c89d6d11d6313bdc05967c74dffb759acc8e550604531e0334314c526f6355adda4f290ea1603e