Malware Analysis Report

2024-10-18 23:40

Sample ID 240812-fng5ya1bnf
Target 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8
SHA256 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8

Threat Level: Known bad

The file 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 05:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 05:00

Reported

2024-08-12 05:06

Platform

win7-20240705-en

Max time kernel

299s

Max time network

291s

Command Line

"C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\4319333f82.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\4319333f82.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2936 set thread context of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 set thread context of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\3f10a3c797.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2688 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2688 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2688 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2764 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe
PID 2764 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe
PID 2764 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe
PID 2764 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe
PID 2936 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2936 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2764 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3f10a3c797.exe
PID 2764 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3f10a3c797.exe
PID 2764 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3f10a3c797.exe
PID 2764 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3f10a3c797.exe
PID 2640 wrote to memory of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 wrote to memory of 2828 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2764 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe
PID 2764 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe
PID 2764 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe
PID 2764 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe
PID 964 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 964 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 964 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 964 wrote to memory of 1900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1900 wrote to memory of 864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe

"C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\3f10a3c797.exe

"C:\Users\Admin\1000037002\3f10a3c797.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.0.1892668569\1604881904" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f5ce8cd-3e41-4b17-be61-c091035c38da} 864 "\\.\pipe\gecko-crash-server-pipe.864" 1296 45d8458 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.1.1553072931\2131308318" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2299702-4238-40b3-8683-fce1af55e655} 864 "\\.\pipe\gecko-crash-server-pipe.864" 1496 e71858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.2.2083489582\2019642731" -childID 1 -isForBrowser -prefsHandle 2056 -prefMapHandle 2044 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c44cea08-5b03-45a5-a5f1-7d2b192ebeed} 864 "\\.\pipe\gecko-crash-server-pipe.864" 2068 455a458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.3.1404986934\1102116868" -childID 2 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8086d4a-f8d1-4b74-881a-3cc8da9ce073} 864 "\\.\pipe\gecko-crash-server-pipe.864" 2912 e30158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.4.2142128249\1881575508" -childID 3 -isForBrowser -prefsHandle 3784 -prefMapHandle 3792 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42c8646a-8dde-4b6f-93ac-1df0e4aef767} 864 "\\.\pipe\gecko-crash-server-pipe.864" 3800 1ffd3058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.5.68785526\789058439" -childID 4 -isForBrowser -prefsHandle 3928 -prefMapHandle 3932 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1ff75b5-1eff-4488-8a30-e51e59147058} 864 "\\.\pipe\gecko-crash-server-pipe.864" 3916 1ffd3958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.6.1317749055\1428459700" -childID 5 -isForBrowser -prefsHandle 4080 -prefMapHandle 4084 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2145ca11-ab67-4e9e-ad0f-3ec21c8454a2} 864 "\\.\pipe\gecko-crash-server-pipe.864" 4060 1ffd4858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.7.1478840435\1503009647" -childID 6 -isForBrowser -prefsHandle 3968 -prefMapHandle 3972 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0b45984-7aa5-45c8-a0de-3ed64c48ce63} 864 "\\.\pipe\gecko-crash-server-pipe.864" 3956 22c8db58 tab

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49299 tcp
N/A 127.0.0.1:49305 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
RU 185.215.113.19:80 185.215.113.19 tcp

Files

memory/2688-0-0x0000000000A20000-0x0000000000EDE000-memory.dmp

memory/2688-1-0x0000000076F20000-0x0000000076F22000-memory.dmp

memory/2688-2-0x0000000000A21000-0x0000000000A4F000-memory.dmp

memory/2688-3-0x0000000000A20000-0x0000000000EDE000-memory.dmp

memory/2688-5-0x0000000000A20000-0x0000000000EDE000-memory.dmp

memory/2688-10-0x0000000000A20000-0x0000000000EDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 4a92075dbd9a0ed4d476c7372a6acff3
SHA1 9033b86c9e62e54f9cb90555cd5290c802051f35
SHA256 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8
SHA512 961127df540addb9cbaf6e0c145a64d1624d661e86e9905db01d8a21962b30af317f2d18fad10c18632a62147ac659fb5350846dc782ea43690be0abe6d1e16f

memory/2688-16-0x0000000000A20000-0x0000000000EDE000-memory.dmp

memory/2764-17-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-18-0x0000000000A81000-0x0000000000AAF000-memory.dmp

memory/2764-19-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-21-0x0000000000A80000-0x0000000000F3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe

MD5 db946418424011c782182c76ab8c179f
SHA1 d640d54d341cf6341bd434c9015d23d22156612a
SHA256 bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512 a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

memory/2936-36-0x0000000000800000-0x0000000000930000-memory.dmp

memory/964-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/964-52-0x0000000000400000-0x000000000052D000-memory.dmp

memory/964-54-0x0000000000400000-0x000000000052D000-memory.dmp

memory/964-51-0x0000000000400000-0x000000000052D000-memory.dmp

memory/964-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/964-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/964-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/964-40-0x0000000000400000-0x000000000052D000-memory.dmp

memory/964-38-0x0000000000400000-0x000000000052D000-memory.dmp

memory/964-48-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\3f10a3c797.exe

MD5 62c81eb8cd78dbcf5767f84caad6972e
SHA1 9a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256 166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA512 2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

memory/2640-69-0x0000000000980000-0x00000000009B8000-memory.dmp

memory/2828-71-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2828-77-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2828-85-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2828-83-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2828-82-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2828-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2828-79-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2828-75-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2828-73-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2320-103-0x0000000000210000-0x0000000000453000-memory.dmp

memory/2764-102-0x0000000006540000-0x0000000006783000-memory.dmp

memory/2320-104-0x0000000000210000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\db\data.safe.bin

MD5 5b8c162e2146e64f831a5829ea6f74f6
SHA1 a1def5f927bb4a5aceb23cf6b71302b155fae26a
SHA256 d4deb6805eb0b8fff8cbc90ab6213c16288fe8b2c8d94143d637b60f57722ca5
SHA512 8ec24939c083c977a1a331fda3f2d83d09a750aaec3c8f15c91d9c0cc25df302a0da8621476a24572402b13e1dc5cf24585d8a8ccc74f9c461b4d698da2945a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\pending_pings\e3306f47-06b1-4c33-a1c5-2079179b18bd

MD5 7a91d32b41dbd4688107ffba79f8d825
SHA1 9caa6e39431e55fbf35726e05ab79e184f820b1e
SHA256 f6f01830a2f026d052292be3f63a3787f1c023468004a1137873da02383959b6
SHA512 b0b75977c1a4a6d926acdd97b8807e592a5c06ccb10d38def6a3c97665670237beea1f935ec15e700bd928d4ec402f9848234e0fea0a34158ff7017a1053a2b3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\pending_pings\8373eb38-6ede-4e13-b69c-ec6367642c28

MD5 aaa31a84d36873c13d4a685b69004a38
SHA1 6be0b1a3515f5c4854fb056e5097194ecbda37af
SHA256 95f1e78f004ee5399b8486b5a6b8b0758e3d39483589466051a83acfd0abdcfd
SHA512 0ff004dd3e05cbbc8ffebdc0b45a62752b8b2c5fb446fd9646b50476dabf7e34ebbf7598c5a3854ec8aa49178968503f66fd4a3caadd03cee41d42b8ee2daf9a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 b35168e22d4587ca37d0174f4eb27c8c
SHA1 a07075038391d0b93092e1618497a7799dcb5e18
SHA256 83cde2e7574cc3209d39b0db964fcfcc28f52e077021ab0604b3f52710f8ccc1
SHA512 277cd4696f5a1db9a14ee880b423932a0c00a1f7f9944560942dcc8a6ea930e84e0bb42962ef3c7b27c192e041ba86eebc945ea32dded85a34dcf5a57358a79e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\activity-stream.discovery_stream.json.tmp

MD5 bc7f263fa748782fef952f0a2be05f86
SHA1 ecf73428b56e662ac3499818f202d946d3ede996
SHA256 aa5ba3cb2ccd0b29b4bc81e02dab773d6304e7fe3fbc1505610247fabb69961e
SHA512 03ebd4b6528de9aef399774f4b78599a8cfe052ea2cd0bc95eb6aa8d7e58e2b9e61a3eac56f5a693806f9ca4e0df811a346cdb55f360888b13bcc1f96f237309

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs-1.js

MD5 be04f86bf0dd66aa7312d42cc631166a
SHA1 f1c5deff848444b88dba4c06502cd69a04d9aca6
SHA256 2a64386508b6a545dde41c91a3198dbeb8e0ef33aea4e536b95a68ad6206b5f6
SHA512 e5eb341da09c679f4d5a1c95be9401e90a1730aeca348fa3e90cdf511c1d0a57e046ff7606f4fb7bf20ac0a849da2f1dd320dc6dd065f0105ae82667da04dfb1

memory/2764-251-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-260-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-261-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-271-0x0000000000A80000-0x0000000000F3E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore-backups\recovery.jsonlz4

MD5 e32d79f4092dc7cc5e6709620798cc4a
SHA1 5994dcaa882647bce083c0a8b204c4a0d78a5797
SHA256 c040686c9bda2825ee182502e53de66c503951cc4381e7afc499a4425c9216be
SHA512 ea8a13f6976edca5f89aa77e1ae5ca1d51a3ed93f199fefcc6117a118274ec1882ff952dddd926215f8d95bddb53306bc3b1799dd7aef1cbc283aadabc644796

memory/2764-277-0x0000000000A80000-0x0000000000F3E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs.js

MD5 7e1df02bc994a379bfa54e1e1c06bff7
SHA1 4f693431bb7e45e7697e9c328933e4df1d61eb2a
SHA256 bc14f8eb7bd7be313eefb04a2fd90f042dca8b5d6ea5e3ddd3818b43e95d5988
SHA512 ba1962d8d3d5214ebb25cdb651a8c12cb3a348e79a4eda8a08cc0271a0aded1ccfd0a015f298c0e6baf033b1a93b1da75b8151fbf9432f0c5bfd242e1e371af7

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs.js

MD5 720f3a56101a5d57d5a226701b403ec1
SHA1 d0b67a64eaebad59099f7ec4d85e7c9c9014d6b6
SHA256 0e9055c8e186ce8e62192610a78057ad11424c1ae656adccbf7950651060660d
SHA512 89ab72ca83f8b64a17904b7d6637133a4a8c6288b697207657e3818beaf1b67e6ebeb0b84276e66b66e101cbafa05b9d44adc6bd8a13957f7822e0984cb1f70e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs-1.js

MD5 7842d49200d29a6e18ca605e2cf05b88
SHA1 0d2ffbbfd8d1538ff8532b205ec458978c84d7a9
SHA256 4ef58d5d2ebdbfbbbb1f6a12611ae8059b888d0cc62fc78e47ce91c4215d0d68
SHA512 af93a4010b553a72eb33919c3026937678b76e14ed92f3b90695aaafbdebdc3f50b8bd8e0182f62012170cc6c4c6bde3951d3eb576c0821c37ace6095afd481f

memory/2764-359-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-361-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-363-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-375-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-376-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-377-0x0000000006540000-0x0000000006783000-memory.dmp

memory/2764-378-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-379-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-380-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-381-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-387-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-388-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-389-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-394-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-395-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-396-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-398-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-399-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-400-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-401-0x0000000000A80000-0x0000000000F3E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs-1.js

MD5 ef0e8eabec735d52c8e321a11e73fbfd
SHA1 c4a0ed706d701e0bd49910694ad332baeaed81d6
SHA256 324d464e7b0f68418b5457bbf4ce6c4a2072b9a90837c3059b36f000339d9b36
SHA512 1b9b1428da08cd78d5fc64edbe0c84a15952f712b4b0e4b20d94c1a048e1786de169692b8c12a445610086cc2286e77ec367be2d6dadc9e414f057ba58e807bb

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

MD5 1c8134e403e5f6275559f31a8e750dad
SHA1 04f8902b9c389d0f762ba21e35418aad17d8d241
SHA256 97729157e9bc829bdf527c1cfa12bf384c8831f02da811b6fdb3fbc96f68f850
SHA512 60eb64b47ec3f65dade79d85aaa48367976c1c09f12fa870bef9fa7391ea2aa1036cecebd6ce03521ec0412b9b5aecbd1511c46d7e6c0d094e649b3f5b56ac82

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 412a4d96c30f33ba90e10c5146a9a119
SHA1 04c56dc6b45b84ee22e20fef92a9aab06601cb1e
SHA256 d7adc6dcb6c4d0445924a4259f8f2a547448db0612f9404cfff84a389983e1e6
SHA512 d2e9c349f9b67698feec549b6f8b9fdc79ed99f39a48622f59ababf6d29ca58aba3709c29a998b1445d71728908d30edd140e47a34d15112a50b72731607eb21

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\9F2876E394CC0D145C752C03A25AEA847C11112D

MD5 8bcc22d59c316dba8d3abd229e4bc363
SHA1 00a7a6774813c67843af73aa00a75da16a0a65c3
SHA256 bec6d6e2c67d05acce105c4e7731a326e1697dd038ff6c6a20141e7f22f6440f
SHA512 5fd3958a75165c337476e722b779e561b28e12316390d77034784898e231c6f19eb5ac3c4f830bbefcfe9d408a1c1db5819e57262693796f7f29ad1e7a7bcfc6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 3c432a25082fc1eb89d73697906b1ca0
SHA1 62c705926ae6fc4d5bfb470883a8737c0fefc830
SHA256 855219f6dc1256a16a236e1f550e9bc5bc2b9f48223843eaf7c3ae78c02b7127
SHA512 447303a771fb2899fac80f9fbc0ebe4fb5cfbf35a6d56d92624abafeeff6f9784a5dbc94496069480fbad0aa147c350f9bae2a94d3c5b918ee4f558ddb95db6b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

MD5 c7f1f33f05554d1ade98e9ecc2cb4397
SHA1 25579ad40f3523712e1098497ffe21971862f0a8
SHA256 655859b69149f7d7752d4a07ace34e46057a5da7eb65ec80a69171e1f27087b2
SHA512 650da86b72801487b688bb677f7dedf28df6835f82a6f674604f60c3ed1cc1125e40c32835dce822de309c212e9b64d9db906aa2c81649df69e3d4069c4a3342

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

MD5 8d869d871c17b2ff88f93f05310f126e
SHA1 3e7dbe0760b17d39b76d4d0bf9dcacc0db704bc4
SHA256 fe6f3014c4837bf5550629a880eaf1c35306f25c6108366d917e8a7779d6839a
SHA512 b0d2c0408ffcc92bd24d67fb54e2c7e3ec43e47564d1a29b91b2e297fd5e2630b8b5d9575b065de8598e0cee1859716b370c1e051bf3695df82388ee89948ed0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

MD5 c3c305a14eb5463d357f8ef3eb3fe6ce
SHA1 1764c7bf30829ad16c2e100c5f5991a2f2836ca2
SHA256 42693cd16c2aab91079621f895f7718b71cd42bd2fcf840c58a2b207a3038b7d
SHA512 c20e4ae5197d0e8660a3368327141aeff2a0be5eb66e4bd01efece40d28950bf81c04c72908406b76ffca86a7fe6be8b2a9034773d1e769e7f9c6bfbcde55528

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\targeting.snapshot.json

MD5 411ddff8a0098dec6ab50f23e7ba231c
SHA1 880fc989fd4a01e4d169206dce331246b66fed0c
SHA256 1875aa64032888f201ec0b4a35f406a4fe6850cfd7067ac3ac9d4197ee4bb7c6
SHA512 96af74216b2369c87c300fccab462a0ee92c889012e1bfe5a6a8f69504522e7f7d5b1ccbc8ed8833fb470a9392cf7376b5cdfdca8df61409f09edea7450932af

memory/2764-464-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-465-0x0000000000A80000-0x0000000000F3E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 b7379d370f7981892b5848df0e5e8914
SHA1 4ef13c2765a6525a2513f417b5f5d66595fbeb3b
SHA256 de6a742a1685dc25ff72a59c481c4518953e9b23618ba6aa26aec7d357b890f6
SHA512 4b650ed823e8d7b74eb125a28e0015230ff179b2ca177484ac242c90a20fde9eac4226af0748ba22b4c6298c2275af5a4ddd8527224dc91b56170f8547e46728

memory/2764-477-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-478-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-479-0x0000000000A80000-0x0000000000F3E000-memory.dmp

memory/2764-484-0x0000000000A80000-0x0000000000F3E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\bookmarkbackups\bookmarks-2024-08-12_11_5h7eKW0pE3Aq-pSa2dI0OA==.jsonlz4

MD5 895682c2fc2c07cda215ba62e57261b6
SHA1 fb66e4eea346617848114284d5f3c788ce3276af
SHA256 c156c613aaeda19ab4baead86896360c173d4af91d03c030b179fbda8372b4e5
SHA512 00a3f07045bed64190797c18db731015afb997f378005c0acda45f6e6ed412a5ae1d20590a3376e4a32a6eb12289e611ce60543702c078090a20ac7ca8914317

memory/2764-492-0x0000000000A80000-0x0000000000F3E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 05:00

Reported

2024-08-12 05:06

Platform

win10-20240404-en

Max time kernel

299s

Max time network

297s

Command Line

"C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\fc2bef2d6e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\fc2bef2d6e.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4784 set thread context of 4148 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 set thread context of 4468 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\3f10a3c797.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4912 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4912 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4912 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2904 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe
PID 2904 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe
PID 2904 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe
PID 4784 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2904 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3f10a3c797.exe
PID 2904 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3f10a3c797.exe
PID 2904 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3f10a3c797.exe
PID 4628 wrote to memory of 4468 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4468 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4468 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4468 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4468 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4468 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4468 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4468 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4628 wrote to memory of 4468 N/A C:\Users\Admin\1000037002\3f10a3c797.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2904 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe
PID 2904 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe
PID 2904 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe
PID 4148 wrote to memory of 3384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4148 wrote to memory of 3384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3384 wrote to memory of 4540 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4540 wrote to memory of 3224 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe

"C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\3f10a3c797.exe

"C:\Users\Admin\1000037002\3f10a3c797.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.0.338813945\191002300" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e54de3c9-0149-4c60-bc3a-fb73b52e2986} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 1792 219b13f5b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.1.1999538935\837365051" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {986bf50f-75b5-4b91-aadb-bd117fd893c2} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 2168 2199f073f58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.2.1062840632\841426453" -childID 1 -isForBrowser -prefsHandle 2904 -prefMapHandle 2756 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf8ea650-6b56-48ea-a95c-b265938db4be} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 2764 219b54d7958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.3.1352008755\681135304" -childID 2 -isForBrowser -prefsHandle 3464 -prefMapHandle 3460 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5ffccc6-0a24-4a50-9214-be21a1c94be3} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 3472 2199f064558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.4.1451832655\895259457" -childID 3 -isForBrowser -prefsHandle 4924 -prefMapHandle 4624 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de1d121c-f305-4719-b1f6-08597e987cdc} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 4928 219b5e06e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.5.1870361933\407945502" -childID 4 -isForBrowser -prefsHandle 5052 -prefMapHandle 5056 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de905d39-c548-4fb0-9617-5139db26e7f8} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 4944 219b5e05658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.6.1600500602\1921353508" -childID 5 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f0a2216-9afd-43ef-838e-36607dfadb70} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 5240 219b86c4558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.7.1507780402\1871134597" -childID 6 -isForBrowser -prefsHandle 5536 -prefMapHandle 4924 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d1f1510-9554-4305-9c71-4e743a6c7844} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 5544 219b9824558 tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
N/A 127.0.0.1:49830 tcp
US 8.8.8.8:53 205.86.155.35.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.174:443 www3.l.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.179.174:443 www3.l.google.com udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
NL 142.250.179.196:443 www.google.com udp
N/A 127.0.0.1:49836 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5---sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 138.163.125.74.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/4912-0-0x00000000001D0000-0x000000000068E000-memory.dmp

memory/4912-1-0x0000000077074000-0x0000000077075000-memory.dmp

memory/4912-2-0x00000000001D1000-0x00000000001FF000-memory.dmp

memory/4912-3-0x00000000001D0000-0x000000000068E000-memory.dmp

memory/4912-4-0x00000000001D0000-0x000000000068E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 4a92075dbd9a0ed4d476c7372a6acff3
SHA1 9033b86c9e62e54f9cb90555cd5290c802051f35
SHA256 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8
SHA512 961127df540addb9cbaf6e0c145a64d1624d661e86e9905db01d8a21962b30af317f2d18fad10c18632a62147ac659fb5350846dc782ea43690be0abe6d1e16f

memory/4912-13-0x00000000001D0000-0x000000000068E000-memory.dmp

memory/2904-14-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-15-0x0000000001101000-0x000000000112F000-memory.dmp

memory/2904-16-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-17-0x0000000001100000-0x00000000015BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe

MD5 db946418424011c782182c76ab8c179f
SHA1 d640d54d341cf6341bd434c9015d23d22156612a
SHA256 bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512 a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

memory/4784-30-0x0000000000140000-0x0000000000270000-memory.dmp

memory/4148-32-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4148-36-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4148-35-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\3f10a3c797.exe

MD5 62c81eb8cd78dbcf5767f84caad6972e
SHA1 9a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256 166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA512 2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

memory/4628-49-0x0000000000FA0000-0x0000000000FD8000-memory.dmp

memory/4468-51-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4468-53-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2120-66-0x0000000001130000-0x0000000001373000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\7a59123c-ca92-4df5-9adc-2aa99b74fd28

MD5 6e2f456aa3ba477220a273c75375f309
SHA1 4876f7f673dcf940bffad398da27b8ed3c383c65
SHA256 046da92467e148643dfc8c4def503f4d5f66d9f90a016f68c5a754674726555f
SHA512 b361513e6372399e0d417a0f83ab31aed0559de4671d8a509b91db7fc643fd1e9e8319c5dc233a6f45e80d2f53b25671e5470921223911ce61e86820d613bb4b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\b798b364-a4c6-4efc-a04a-41847ed6e53f

MD5 629dacefbd394725dd8c0549a8a42fed
SHA1 c2950bb366efad1f074ec04790a81423cae95105
SHA256 4e21438d0f24bd44095f3481eabc63c03c8026e1e8213624733ebc464da9c567
SHA512 c278c655c946d37faf420559e3aa51a33d81f8f9b1bcb0244882bd73168b6366181d50be4420730c4ac69436b6d2c82fdd59e52ad96f99f5bb73c88e95969b82

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

MD5 341695e9cac2870cd36b0388a21520ec
SHA1 3968ece2266b2544a0e87d356bcebbbbbd184fd1
SHA256 e05c9377bc017934087776c60c1b91efed82774d46173bf405f0605543ca6b0b
SHA512 a0087b8afee96cd4ccad9f4e78e1a220131894bb0b44df53365701551bf03f8bbc8b819458e5db9d47eb1334b7969f1bf017574218428bebac154dffe201d4f5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 acb98d3d4e718735b97cfa91dc502aeb
SHA1 169e52e36b0118c591b2c7c4566f7d24bb48a1fe
SHA256 d7f03e1c2f27c7dcae5c28ea3c52ddb1d5c8086870d28206e8afc039d6779ce5
SHA512 a8aa54bcc302f0e67fc2d856e540696259ef259dfc9ca8cf59a02a9552f86e004a251129ea53acd0109f6c6e10395003c884bf45a25424a93165b1b25b883227

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

MD5 cca7a4d98b0c7f557c3eb6eb8a30a72b
SHA1 97afc4d9efd43cddd261741ca53c0b9a7d717048
SHA256 d79a9abcb852c022bda59facdf84906a5f81693873cb42e000f3b24b2808645d
SHA512 3a4cc5f96b79ffce9366717db1d354c739911ed51d0610fac2f3dc032b340bd91d0ca1a8e11ce6d80fe81962857304bc4039037ebec51c480ccda6287cb698f5

memory/2120-150-0x0000000001130000-0x0000000001373000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 25bffd7a78c7f30b0511b3ddd970686e
SHA1 5b686450d44fe2c8974b9cd073973ae55d9b8715
SHA256 ac800dc50e891d9830d91e5820b1266c9afa8cfa81b9faffb2f013a321773996
SHA512 edaf3266697dd855322f86d5e4cebc807811aa98aa3c2edc5b3ea6ae4895b123c2e8e1e41e85dd68e0e7a9ab7ba9ea0132392e9a78f59daac6cfd1f19f674642

memory/2904-200-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-210-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-217-0x0000000001100000-0x00000000015BE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d7ebcc1f4737f8f0c3d45c73745a0aa3
SHA1 5f20c711d26a6b0d7b6eaa948a1977164b2e73ee
SHA256 b6cc34f5d20cc43a757d51712f69e4987b2007a414202e62851ebecebd99dbaa
SHA512 8dd1ef2293f7fd84bf5e97ed183c99c4292be16dc4aae6c511af8782098a34c9e4a886928c29f6daf6faf7691dde204b0ee1b204fa9a6a04ede972ebe7ecdf7d

memory/2904-227-0x0000000001100000-0x00000000015BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 c625551ce2d609be773603db0091d329
SHA1 5c395d71c63da412b6b07c5317fa1cdc2f2e8464
SHA256 4df8266994b34dd7ca9cc5921403a6bdf23977ffc1adc1f64aa7146e99cb69e5
SHA512 01237a0862608f265ceae0cdb44b3de07c3c51cfe7260f375ad520c75045b8bdc223d5e169d81ee53d87e106b1ccbb8f35efb9dc5fb4384a56a9dc98999727df

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 baf8bd79a6de8363be427363b12dba2f
SHA1 6fbfe8d84403f4f25180d9d921ea347a3415ba92
SHA256 5dd5462352c70e0f017a6b51aed91d451396b731bbf5d7f9754cba90bd761aae
SHA512 987eb40a8350f3de873371b633cf6995dbb28e27a4f39f6bc954d29fa67242d9f2f92a4e84f6e876ee051f9711a27d8d4415133bf0909f084678b92a11933d91

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 25bb4fc0d3c97030b481ea6c394fc757
SHA1 faa52d98b9a3addcdd7018b130710f1ca4a93c9d
SHA256 4d82959b15da94964fa618cbfca35bb2f484e4aae0a6610497c27870b8964d30
SHA512 97bea60a54fabb48cf2e2790f14ea886ea020df77f9c18e2e904737dbdc14a5f14e75b4085022c6243d3a384ee8192933b1855b9db7ece1bee0381049870e453

memory/2904-318-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-320-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/1560-323-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/1560-325-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-326-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-331-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-332-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-333-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-334-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-335-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/1736-337-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/1736-339-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-340-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-346-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-347-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-348-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-353-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-354-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/808-356-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/808-357-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-358-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-360-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-362-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-363-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-364-0x0000000001100000-0x00000000015BE000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

MD5 ec728ea73bfb37dd55bbd976e74c226d
SHA1 b33a7e7cd7d9faa6ef340fdae96d28f2193b8561
SHA256 d532cc42084bc259590993dff4feccea2a9b213fc5b9b13f9d7742bbe9d9beef
SHA512 349f8f4622de87ad7fd0e46ed88c442d6238f55802132f6e5209d4cb4eab32c0ea705280fa29c291d7897fd87ddff42f045838a61a84ab9ef182945d90df06e5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

MD5 9a9db5839b504fcb68996816896bccc5
SHA1 abea3e08c1fe85ce68408994680309b76e612221
SHA256 0abfcfa224b224dbfdca6a5940c0f6e86e8112367ce9d7cc05292b3d500b2af8
SHA512 61aa74c1600bbf091a1876064083c6d5fd7ec30512e1b306b2b8f9f7049d4f1453fb8b2bb34912501dd6dc9c51bfa19438b1575c9b7c589f1e42ee28968762a6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

MD5 59746f66000687350a02b6af03c03fe9
SHA1 1d599ab5194e99c96eee7977bcd0075f8aa957a2
SHA256 b7c49f43fe79000666600ee17037cd8e96043497a7f7902ff7bcdb0c68870084
SHA512 7bdbf74f2f5042badc232bda118ed3cc1e2facce8686eb50d153a67a8748eeae82204982820a0fd098b47d9f105090aba2a918618ea184f59d3a3b6042cb95ce

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 e89115451394d4e4fde52e519931b112
SHA1 1bb17c197030741769ee128534ab968fb4ac1257
SHA256 d86738becd2a912540e709f14874f22c8e3d784d676148bb2d0607c510a41b98
SHA512 94cca6cbf539c204752d7b6c539545d41c1d39ca6915cac0d2e39bc0d6e9ed8ef37b80f9e06d65fe7169087cf6c40566f0e24b016178584c31d9b81f8dec7bbc

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

MD5 c7196cd0d784f428d3e9bda011f69a31
SHA1 f1669a3c35cda22f0c5451450b7141d5b11e04be
SHA256 77cb27dde413c6bf17b75fcb81a2701cff918838837377f85f8cd0cf18d436d2
SHA512 bda32a89e543d1b01e0a0753a47ca343924c9ecf18aa3e1f05c71ef5694a0aed9eadac8cb9c94bcedd46f8209b09a7650618ea1d77a9eb8342163c4c01cda1f1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 c4543bb29b467ba72b3403af61d8755b
SHA1 738b0a88421ff577640bbe69c086f461e1f91b99
SHA256 01997b538f0769cdc439a195bd7fc1c73d75529b5a683e7f8894aa0ff31dc0e2
SHA512 a57ef368782e299a8700bcb64de5b44b8a58510b44c8022fbdb4de833e6c2056a7aea41afe8a59f1a4ee5c14a4da9aa459364bfabf57122206674e2a5ece1d60

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 4fda31c7e3b5eba728e1e469643b71c0
SHA1 cc89fb5db17b8df7e330a81cd6dc654e6ef4c43f
SHA256 804aba13576e1bc63200ce600bcf347cfd07d14505dcd774cfea3e8359eb35ac
SHA512 f06ca6ee96cd1f6c0a6467a68996929b921484ed6571a2203abd1a2043ad70952ef6c37638158bf1e7058208f8b8af407bd1ad2106397d4007b7148b606e4bbf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\targeting.snapshot.json

MD5 d0a16a3177e6f8a2d130ef88a2ffff1c
SHA1 6680e33f5d4b58e68724d44ab52473d3e92e2483
SHA256 4045dcfa3f4b9fdb9b758d6795734e6eb22b082e3e058b2711ac3aa421b61c49
SHA512 42551ce797554087ddc0ccf8009cddb1707d798f26c83c3650f1f6761835bded72d8e8a844c2c2ffb4d9897f30deb4bcadcbe6e160a868e90c36579730eb7f38

memory/2904-416-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/4876-418-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/4876-419-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-420-0x0000000001100000-0x00000000015BE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 9357e30d8461a05a3a563e55bbe9a8e3
SHA1 f1af6610a8c8b95c667b0229c0d8ffe7e8f4680f
SHA256 524f1eb3d8588da32de96b117c900a149af477de4f3e09aeee64dbfa43ced3b0
SHA512 9f5dd9cdbd744d4ee1bfc46f0a6a992e160871f0645de52cb9d1cfa3e11321e577de29cdd15085b2c40b000e3ab921383bd2766853bc519d40eab9784b030f6b

memory/2904-431-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-432-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-433-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/2904-438-0x0000000001100000-0x00000000015BE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\bookmarkbackups\bookmarks-2024-08-12_11_+ftwiIQfjYtrlniJNZ3V4g==.jsonlz4

MD5 5454384ec38638981ce5e67157b8f07d
SHA1 20da940d1b48d7c555b5f7d050fcc26b9fcaa217
SHA256 faa28431b2b70bce1f1552ef63266622ee731b9a30a3b314c9b6d6e0bdc07e11
SHA512 5526c70002b23f106dbb494742fce905cba27979f8bf8f2a92832232fb34b6bf873043f0b54f88567250f358e5fdd93438f5211318ee303ad71615ea85d1f2f6

memory/2904-446-0x0000000001100000-0x00000000015BE000-memory.dmp

memory/208-448-0x0000000001100000-0x00000000015BE000-memory.dmp