Malware Analysis Report

2024-10-18 23:42

Sample ID 240812-fpv37a1cjh
Target 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87
SHA256 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87

Threat Level: Known bad

The file 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 05:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 05:03

Reported

2024-08-12 05:08

Platform

win10-20240404-en

Max time kernel

299s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\0d383a3ff0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\0d383a3ff0.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2628 set thread context of 1300 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 set thread context of 3700 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\76b0bdeda4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4180 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4180 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2212 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe
PID 2212 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe
PID 2212 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe
PID 2628 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2628 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2628 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2628 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2628 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2628 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2628 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2628 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2628 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2628 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2628 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2628 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2628 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\76b0bdeda4.exe
PID 2212 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\76b0bdeda4.exe
PID 2212 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\76b0bdeda4.exe
PID 3388 wrote to memory of 3376 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 3376 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 3376 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 1928 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 1928 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 1928 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 3700 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 3700 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 3700 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 3700 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 3700 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 3700 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 3700 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 3700 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 3700 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe
PID 2212 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe
PID 2212 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe
PID 1300 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1360 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1360 wrote to memory of 4628 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 1988 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 1572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 1572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 1572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 1572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 1572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 1572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 1572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 1572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 1572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe

"C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\76b0bdeda4.exe

"C:\Users\Admin\1000037002\76b0bdeda4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.0.1699300312\1245909160" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {887f5505-07f8-46c9-a1e5-a720508be2fc} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 1796 1b77ffd9b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.1.1978711312\166743239" -parentBuildID 20221007134813 -prefsHandle 2160 -prefMapHandle 2156 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51169f68-5738-47ef-b4d1-aefced0b0737} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 2172 1b7011ca458 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.2.11050568\1875956795" -childID 1 -isForBrowser -prefsHandle 2708 -prefMapHandle 2684 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5812ef9-7a4b-4436-808e-3103c561fb6d} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 2720 1b7043ce858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.3.675724113\2102222229" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3540 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02678771-4392-4d59-822a-e11ada3df290} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 2756 1b705551158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.4.1821092895\58823418" -childID 3 -isForBrowser -prefsHandle 4928 -prefMapHandle 4916 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d6286fd-b13c-4cd9-84d4-9d998c1cf387} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 4932 1b704b36458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.5.1626656698\471861220" -childID 4 -isForBrowser -prefsHandle 4964 -prefMapHandle 5092 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd8d30c9-a0c0-48aa-a8d8-196e9d8bf0e2} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 5196 1b704c4ab58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.6.1032471559\291607937" -childID 5 -isForBrowser -prefsHandle 5320 -prefMapHandle 5328 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03b6b3e2-480c-4eaa-94d1-389c0023be76} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 5312 1b704d56558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.7.1508561197\1279762685" -childID 6 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bd13abf-8e6d-4fcb-a255-6a0f95970f49} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 5500 1b704d57158 tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49830 tcp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 200.110.239.44.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com tcp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
N/A 127.0.0.1:49837 tcp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5---sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 138.163.125.74.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp

Files

memory/4180-0-0x0000000000A50000-0x0000000000F2D000-memory.dmp

memory/4180-1-0x0000000077C84000-0x0000000077C85000-memory.dmp

memory/4180-2-0x0000000000A51000-0x0000000000A7F000-memory.dmp

memory/4180-3-0x0000000000A50000-0x0000000000F2D000-memory.dmp

memory/4180-5-0x0000000000A50000-0x0000000000F2D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 d6612f5d347fb3a1e9b74b324271a5d3
SHA1 f4cf302408405179d0c865438d38cdf1dec0cf80
SHA256 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87
SHA512 66d2c5d204236b07902be2ba81114e88b4f0009e3b2733c490f83d5fb119e15c0670759bbb7c08ab44f1aaff2337bcbdb3efc155cc69dc348be2cdcf62cc13c5

memory/2212-14-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/4180-15-0x0000000000A50000-0x0000000000F2D000-memory.dmp

memory/2212-16-0x0000000000F81000-0x0000000000FAF000-memory.dmp

memory/2212-17-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-18-0x0000000000F80000-0x000000000145D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe

MD5 db946418424011c782182c76ab8c179f
SHA1 d640d54d341cf6341bd434c9015d23d22156612a
SHA256 bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512 a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

memory/2628-31-0x00000000008A0000-0x00000000009D0000-memory.dmp

memory/1300-33-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1300-37-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1300-36-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\76b0bdeda4.exe

MD5 62c81eb8cd78dbcf5767f84caad6972e
SHA1 9a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256 166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA512 2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

memory/3388-50-0x0000000000AA0000-0x0000000000AD8000-memory.dmp

memory/3700-52-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3700-54-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2580-67-0x0000000000260000-0x00000000004A3000-memory.dmp

memory/2580-68-0x0000000000260000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

MD5 caceb3b07c2599f179f5bf1763d3a2df
SHA1 f786adc9659ff6522d11ee4710de01af31de298b
SHA256 f156e07fec4481eac4d1b82a211cf9036e3a224f572188722516d179dbe8e31e
SHA512 aae9f31c4ada61cf28fedb7f196753cd9884efade3221f7d62be09d154cf264665332a3a7366b67b64ad2f4b9b185ea76c65805f9b0dae584700ef398c2e4de6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\73796c48-4061-4afc-b120-a871daf1324c

MD5 92537fffb7c04447005f1293e545d329
SHA1 87e009c1ab1e04a040659f7da15ac234d73f10f0
SHA256 8dfbf111d7678f8966894268e757a68cf42b5bf141ffb5aa44e637c67ab98fa8
SHA512 59344f37385ff58a6c24fb028ebea773a5e09974ccdcbfc80b07febf627fd04917a494c4e0a790dc744bdd0f9fbbd2ebab4814e027045cde0a5196fb54c5a871

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\c9d4758d-581a-4e03-9182-9b922553c934

MD5 92c2d83feb1423f8a450454ff2799b6a
SHA1 377276b1927a8e53ce912a6f1f92275995d84640
SHA256 abda13ac3d24a253b9f068fbdc7da67473a490747940747e42b1dbf5f7fae529
SHA512 a30e8e33870d04fd91b834a2195e07feddfcab5ccd24b30161fd353e37cf23dcb079e9933349b8dde905e51c56872343b78016b98af8c169c301699aad509c5e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 1fdc13de64cfdb8ba3fcd71aad9d33d3
SHA1 b7649cfd66d751435fa56a4b4b20daace452c692
SHA256 fa890605b23aecfebe4300d159f10096cfaba982a942c8ce829617b3de36a783
SHA512 3c9dc261a1f0a96d4433d60de03423d58f0bd63dbf5db48962372658103f16991f6da06c1670deea1e51efd2a15aae699d1d287ee377e0a457299a7dd9f691a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 679c695b2c7ca15c7f256d9d5365b224
SHA1 79c8c531fa1c0599570389d46c03b4fac94baf6d
SHA256 7c9919082f47992650799a04a07a08914991990b0bd388b895b7ace3573b845b
SHA512 ea9c63ba68f5ddefe9df3e942bb7956d78ce25a97b0911ea6351f7f0b8ef4ff9ffefd40d660d76efd5908c852650922690f6945d1a9f6c9b70ced8758d88a5c2

memory/2212-191-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-202-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-204-0x0000000000F80000-0x000000000145D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 f5ba49ae5e48f0540e6d3353f8b8aceb
SHA1 dd5a7c13c5d6de2765e9b1b37a7b574bb11ecb37
SHA256 3d7b98a7258c1e1d87c22dda513bd2fa1e054282cbeed3dc32aa8469b8d4b1df
SHA512 3d53783bc9d6234519165e18706324e96d113a69d6a6f38a6abb3fdde4110d00d19f427b628658072cdacc89e0387e4e0b99fea19a2d2cd05c2e530a6f8d0602

memory/2212-210-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-212-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/1972-215-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/1972-219-0x0000000000F80000-0x000000000145D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 5779a0c6c1de1fa5f022fd6ce97a1c3e
SHA1 d90ec1146d2dada326a6422388cb124d49f204ca
SHA256 519bb5ba5cad4a9b7da0d7fd5607c4d41127aa11b72041cb5d7b6206d7c0272e
SHA512 774ca9683c5392186290bd8ee0a206d8da21183189493d61175e99cfe390e97207604cae61b1a13d7461e050ac161c959e9d41ae26fb695c80141cb7ee64f5ab

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a2671249c42d7f3052b47b058c262c9e
SHA1 4b87e2653d88f77c103ef0b1464e0b5d33da19a2
SHA256 369c95ca45254dd593289876f7a7b02a96b3d07762317db14c7dc2a4fa576d66
SHA512 d1732b34a524b12d54b7be229bf58a8be59c968b44428052f4ef762c87041a01dabe778d5827ff99d669c7a1b1b9cb4145940a2371ba5aa5b644ce632f23c6ca

memory/2212-301-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-303-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-305-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-310-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-311-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/5896-314-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-313-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/5896-315-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-316-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-317-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-318-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-324-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-326-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-327-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/5292-329-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/5292-330-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-335-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-336-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-337-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-339-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-340-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-341-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/3256-343-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/3256-345-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-346-0x0000000000F80000-0x000000000145D000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

MD5 4cd8468f8987fdccc0dcc352f277d771
SHA1 897279c741789d992362d0fc448bb0205a73daf2
SHA256 b7e34c9fb8362632d19c22fad541b05901cfa7a21bd0fbf42f58921b335f10d6
SHA512 327c90a2704b3c7264e64f54c4b25e8872cc037d43f8c87d347c4fe2c326d520e654580ad684e58a80df1c9913255035bba6884445a3b5649e69cd6141a6165f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

MD5 285a0c85b5300e909dd8343c90f9c879
SHA1 d37b49e48471c01118e4da34580e76c14482487c
SHA256 37f4f5ac93738ce7f70a1275b21f726835e717336ecf725267eb6c034774d54c
SHA512 3fd985b64be1c88d2ed1d8221f23ae254aa83aced9a7a42ad52928ac60bcbf1c1a1deb83ff179150cdc9bdf254fa91a5c11d8ef68ccfc62a7336b3c728adcdc7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

MD5 1e5c9d3e01234129b0582c5bdf10edb4
SHA1 3c36433875e40ed0be68763096851a914916afe8
SHA256 1c249621a38dcb6cb2ecea9e142a501a528f49c6d282817b214adfceea27c59f
SHA512 cf72f92fbfb1a2d9505a99baf1a3ee9b0925d94c37e9d98316e123c708da962cda99a0eba57cb71f90c4774d8f020a6f513d9b0d17990a37d177419ae6e24327

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

MD5 38c93bc18c6c0e7f109062f36f13b3e5
SHA1 e78d245193c7e1f86fde40fcd52a0fd68d1472fe
SHA256 b17e7399bd22a019ecc8ba3403b2356ef25f0e7ecc4a34c55b94f6f80d87e9d4
SHA512 ff5b96121bcc6e7e8d13633c3520202e045bc99c78eef0e993fce585ee5650f8410201f87e988e925b45113c5ef411c0bb9b4676beecd8684adbe35f76c1e29a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 4e6d52d6d66c43e3c6b70507b7247373
SHA1 29e291aeefc71d1efd0aeb3adf1a05e3da7c530b
SHA256 de88ad8891208677429aa216706c1014e1b8d02e5c7c3b4932b9c4b6bd465c80
SHA512 157477d297ebde9187f1638a2af24cdce791a451332465b4b9e74ddf4ce667c06955c4337a5a8a37b1471c922e14f14e7c6b3b7371ab3165b1096c1f2772b9bf

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 fafe822197edbfdaf8d1bbdb0fd136b1
SHA1 a96be16734e82e4a6704b971514fe4169a27f1fa
SHA256 7fbec730458ad4f6df50d03dc34fbec505cf332d291ead65d4781618d13e8498
SHA512 221d80dcd606c9ce274bfe51b593f41b940f67a2974f520a904f2b65bfbef9525ff9578cf51a67e07f97668169a83970939c8e8ec91f23e67bbc5837e24ed22f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 c72ef77cdec5facf278b0ac73146cac6
SHA1 1ab635fa43ac0606dbf29aff7cf9cf54378561fb
SHA256 f112dfffa0bf30d63cfa01082c094097c7e88715641b52581bf5fa378c4dc935
SHA512 7b30f2ad333055adb6d8222eb04f55d4ee4ac6f8a6d11e6bca9d369cd170df68c2b22084a9a50439c16b128586295a6f3ace7055d5c1347bba86abfcb5fad8a3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\targeting.snapshot.json

MD5 a7aa7d8d92ea8550a29cae1e4c6a76ad
SHA1 28728cbb9b83cb8d700883849537060ffa1f4190
SHA256 c5a9fbf6a2c4750574999c976d8ac02c1eb6e76d8a5e92e6c28fa15a3c3e708c
SHA512 f01149d20dae9820862dda4b5e37aa9564dc57e2a501b5a87c87ed0282f22c098397f111976b6d3a5620c8c86e3db827eebe0f249b5582e6e2cad8b9a1e7bf68

memory/2212-398-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-399-0x0000000000F80000-0x000000000145D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 a58be80b0b6be072704c1b81e098b766
SHA1 c0c11753bd8814b22dd203efbcd32c512ab3b35a
SHA256 45ac0a1e4bda91d5d701daf4688248130805f65d7959febf389bc4d28bd4f9db
SHA512 82a16c5dd9497c7db857c6856d52e2e654d0b3a9c00594264f7b928a2759a9b5839de55729f3fc94d41c2363e41eda9af36a531a469618876fdbb09348f2d7b2

memory/2212-410-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-411-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-412-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/5092-414-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/5092-416-0x0000000000F80000-0x000000000145D000-memory.dmp

memory/2212-421-0x0000000000F80000-0x000000000145D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\bookmarkbackups\bookmarks-2024-08-12_11_JYHA1IDH37kjW2ud4k03lA==.jsonlz4

MD5 7c618c5385632ed123b3929e89a9104a
SHA1 877eef304b5bca587c7f990c0b187b1fbe666e04
SHA256 0c052f029079668e4dc8f63800c6b2fd173fd97de4739e5a66d017df726f519c
SHA512 78e0c287f8367a1fb67e816d2ca7a675cf880d1a245ebc1f4633c52a54bd7fb8ba4564d7c07ceddd9f56c9efbaadb2da1ccc928f679645b3d91dcdac7c87d64e

memory/2212-429-0x0000000000F80000-0x000000000145D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 05:03

Reported

2024-08-12 05:08

Platform

win7-20240708-en

Max time kernel

299s

Max time network

290s

Command Line

"C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\0d383a3ff0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\0d383a3ff0.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2972 set thread context of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1520 set thread context of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\76b0bdeda4.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2644 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2644 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2644 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe
PID 2728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe
PID 2728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe
PID 2728 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe
PID 2972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2972 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2728 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\76b0bdeda4.exe
PID 2728 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\76b0bdeda4.exe
PID 2728 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\76b0bdeda4.exe
PID 2728 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\76b0bdeda4.exe
PID 1520 wrote to memory of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1520 wrote to memory of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1520 wrote to memory of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1520 wrote to memory of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1520 wrote to memory of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1520 wrote to memory of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1520 wrote to memory of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1520 wrote to memory of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1520 wrote to memory of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1520 wrote to memory of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1520 wrote to memory of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1520 wrote to memory of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1520 wrote to memory of 2308 N/A C:\Users\Admin\1000037002\76b0bdeda4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2728 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe
PID 2728 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe
PID 2728 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe
PID 2728 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe
PID 2452 wrote to memory of 2920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2452 wrote to memory of 2920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2452 wrote to memory of 2920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2452 wrote to memory of 2920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2920 wrote to memory of 2272 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2920 wrote to memory of 2272 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2920 wrote to memory of 2272 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2920 wrote to memory of 2272 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2920 wrote to memory of 2272 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2920 wrote to memory of 2272 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2920 wrote to memory of 2272 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2920 wrote to memory of 2272 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2920 wrote to memory of 2272 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2920 wrote to memory of 2272 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe

"C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\76b0bdeda4.exe

"C:\Users\Admin\1000037002\76b0bdeda4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.0.656125712\598250611" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6add0101-14ee-45c1-a400-abf831f606d0} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 1280 11dd5b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.1.291480274\1164672918" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7cb9435-499e-4bf1-ab61-6ad09f47b6e4} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 1496 e73c58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.2.1800076998\784561216" -childID 1 -isForBrowser -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e0e8cc3-ba30-4153-9011-f10d637d5092} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 2104 19d9a858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.3.1638369663\160610286" -childID 2 -isForBrowser -prefsHandle 2884 -prefMapHandle 2880 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a22aa4d3-c09a-4c7d-b47c-4843b7da7664} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 2896 e64258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.4.1303826133\1581313732" -childID 3 -isForBrowser -prefsHandle 3800 -prefMapHandle 3784 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51dc8c79-ab9c-40f1-8cf6-f7ba190847e7} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 3812 1cfb9958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.5.1820247056\1565151837" -childID 4 -isForBrowser -prefsHandle 2784 -prefMapHandle 3328 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f35a8518-9f5d-43f7-b73e-c802ecd56699} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 3956 1cfb7b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.6.448088790\723047656" -childID 5 -isForBrowser -prefsHandle 4012 -prefMapHandle 4016 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61971734-602c-401d-be0a-543a123f90f8} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 4000 1cfba258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.7.1855895466\457827544" -childID 6 -isForBrowser -prefsHandle 4364 -prefMapHandle 4304 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fa2fab8-765d-4e98-982a-0b138dfa9b93} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 4360 1ad9bb58 tab

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49316 tcp
N/A 127.0.0.1:49322 tcp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com tcp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
RU 185.215.113.19:80 185.215.113.19 tcp

Files

memory/2644-0-0x0000000000390000-0x000000000086D000-memory.dmp

memory/2644-1-0x00000000771B0000-0x00000000771B2000-memory.dmp

memory/2644-2-0x0000000000391000-0x00000000003BF000-memory.dmp

memory/2644-3-0x0000000000390000-0x000000000086D000-memory.dmp

memory/2644-4-0x0000000000390000-0x000000000086D000-memory.dmp

\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 d6612f5d347fb3a1e9b74b324271a5d3
SHA1 f4cf302408405179d0c865438d38cdf1dec0cf80
SHA256 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87
SHA512 66d2c5d204236b07902be2ba81114e88b4f0009e3b2733c490f83d5fb119e15c0670759bbb7c08ab44f1aaff2337bcbdb3efc155cc69dc348be2cdcf62cc13c5

memory/2644-14-0x00000000070F0000-0x00000000075CD000-memory.dmp

memory/2644-16-0x0000000000390000-0x000000000086D000-memory.dmp

memory/2728-17-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-18-0x00000000012E1000-0x000000000130F000-memory.dmp

memory/2728-19-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-21-0x00000000012E0000-0x00000000017BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe

MD5 db946418424011c782182c76ab8c179f
SHA1 d640d54d341cf6341bd434c9015d23d22156612a
SHA256 bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512 a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

memory/2972-36-0x0000000000080000-0x00000000001B0000-memory.dmp

memory/2452-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2452-38-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2452-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2452-40-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2452-54-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2452-52-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2452-51-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2452-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2452-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2452-45-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\76b0bdeda4.exe

MD5 62c81eb8cd78dbcf5767f84caad6972e
SHA1 9a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256 166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA512 2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

memory/1520-69-0x00000000003D0000-0x0000000000408000-memory.dmp

memory/2308-79-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2308-83-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2308-85-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2308-82-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2308-77-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2308-75-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2308-73-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2308-72-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3060-102-0x00000000012F0000-0x0000000001533000-memory.dmp

memory/2728-103-0x00000000065B0000-0x00000000067F3000-memory.dmp

memory/3060-104-0x00000000012F0000-0x0000000001533000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

MD5 22f6765c3b05f569ff1f609ad71dfa58
SHA1 59fc5c7804457dbbbeb8485151cba6257f21b833
SHA256 215adfddf022e657ef0bcf5dcd66d4c2740af20afb563d3662ed7c1e88119dc4
SHA512 7685a21a9ef2489ef6f3e704fd61564ca003b8fe0d38b6fe5af4994920d31cb9fbe1217cb5fd165feba21844e0bfdf3ee997704f73e32f79b6f4f82cdee223c7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\d90a86b5-2247-4287-9e5d-35d61fcdb879

MD5 b88cb8bf7c9a324e6420ad04034c63ac
SHA1 e61460a0f61eac0235c1acf854d14ca5b3271483
SHA256 f98fc28d7932dcf66d6b0d74dd394ab732b7cf3b41bb3cbc6025f9fedb78f33a
SHA512 02e685fca8a35bfb7ff965e9fd0e9232793e683f408de608cd5de9d9f789283396ae7c6d8fc106a8b3b4cedeeb55c16dd431e50f89aed3aa04d58788724f0e62

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\0bb486a2-1330-4ea1-9f21-c73d26059f6f

MD5 224e33e810f1987166f1e03fa3b75a0e
SHA1 c94f911260a560363f1697f2db86e5b7fcfd1d6b
SHA256 36fdeaa80182de421b527e43228fae00858ba80c9ee3520a01cb7ef24ed6b4ca
SHA512 e9c326f1e95cf703fcddbeea4c121d1a7210d27359c9cafc276d991354e466244caffb6087ef21858da400b82db533e8f6b0e24da664e5efbedd71597ac19eea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 3dc733f51b6c47c0e57ae7035b9abacf
SHA1 d4c28a6f9d4bae9e297440a46726a2cb3e2504ba
SHA256 aafa700fb884f14becaf86a0eb9df79dfa15885b2ebe11cabe5f48a3a5d9e0e1
SHA512 e02670f6fa626a21ad150e0e0e589ba9f1f7a1fb921dc28f4117dc0a30a337b9c9b165dd0a30da864fe4dbdf130372e846648792a0bcf5aad4e8d28118101067

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp

MD5 67d69718f3a897829a16e486c7411d53
SHA1 10a24ef440813948dea463f11b3084af4942667b
SHA256 8e065c9171abf0f5d6f8ea7279038bb26e97f29bc1a375879489d250904cac6c
SHA512 4101195a7269f3e675f6e1624742bb294d8fde0c4e49113b740c8b0521936f16356737f1d8826228d55a584ce39ce88294fccf602bea6ab43bd0ba591a2606c9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs.js

MD5 2d893594787dcad4867171b408e78252
SHA1 606431a1794f9be55333c6004e01764f26b8db2b
SHA256 86bc409d00be778727165f919d52d850f9bf14dd49c020a3fbf5f3cddcc9384a
SHA512 6e38255a90eb3c5dc43fda11576584354190e328a7c65ce58bf55546743831f2c159d547a601de3f9306cdd01d256cbde5143dca09cbb440d25f4b10152f05c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs.js

MD5 3ad1b17cbdae3524b0e088db88756621
SHA1 ab6d3e77b92e7908653f3a5422dd2a819a911fcd
SHA256 347ca0f68857c78ddbfec418bc19ae2547a9b1d1ec812e882a6f7081c5ac360f
SHA512 a32765ef4c944548173fb94db0e2b4b76cd23ace64f13286edcdbf4649c89777dde204bad445b8dbf46d85923d5d0cbef9704551a0aaa9f5904d2d40379f3c2d

memory/2728-260-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-267-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-268-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-278-0x00000000012E0000-0x00000000017BD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

MD5 ebe73c432e112ff0e7752637dfe9e6f4
SHA1 061f90805281ae5993eb40537df7358f84d98a6b
SHA256 a651fce736c6eabea5bf06c24c028963c7ade21d839fa925ca73637ddd9537e7
SHA512 039fb878245f3789a0a6de34902901d8790669fbd3547243c8e7f664876f81790d6fac03146ea9919dccc6242028f93ca03d3075c667556641692053ad1725f5

memory/2728-284-0x00000000012E0000-0x00000000017BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

MD5 08bdc6d15d5a8f8401675d3c66263a36
SHA1 b68950a9d31fa666525a4b6b34af39a3285157b7
SHA256 aa8909b42bb0ab89e3e04ba6c447304996560446e0b5df3893b2f2beb32f2f7b
SHA512 2507a3324c19bf911dfcc3a93c0a3fe3a2f6c8bae3017ab30f35aabad39de4298ac78a9dc2964be8981805f5ed9222dbd3a2cad5e6f1da30433d6eaf2bfe8040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

MD5 9ea8f2dd9f91b0105beb1ce8f066474e
SHA1 627bd4a6f594a3ae33647dca0b825b26a9c92da7
SHA256 59e5a110d6520a402b2636e0fbc536e94556bb6a576929c858ecf862a1bc0ce9
SHA512 a095db0570d3d907b4ad4ee48d995138dc27adb788952a3c5248a4a61c00212f125d85eb333b182c730d7e05a1db6504e49c72404fc39cda4ebac8b4375fb6eb

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/2728-366-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-369-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-371-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-383-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-384-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-385-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-386-0x00000000065B0000-0x00000000067F3000-memory.dmp

memory/2728-387-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-388-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-389-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-395-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-396-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-397-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-402-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-403-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-404-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-406-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-407-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-408-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-409-0x00000000012E0000-0x00000000017BD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

MD5 f653faf279801755e177d50f9c9fd90e
SHA1 310427a16367429cfd0e94f55b4dc9fac0e7c1e9
SHA256 3f8c10833cdb9352d9fdc45cce7002977ddd6944b4d242393fdffb8022f990a6
SHA512 737d19bb38af7d0b89249842e3a04873511f98874ef5631e6afb7c744965fd0e42d9163a72a1b4363b1293e5a50f797753d965698e4775aca3b5829b4df5d5c0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

MD5 4cd8468f8987fdccc0dcc352f277d771
SHA1 897279c741789d992362d0fc448bb0205a73daf2
SHA256 b7e34c9fb8362632d19c22fad541b05901cfa7a21bd0fbf42f58921b335f10d6
SHA512 327c90a2704b3c7264e64f54c4b25e8872cc037d43f8c87d347c4fe2c326d520e654580ad684e58a80df1c9913255035bba6884445a3b5649e69cd6141a6165f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

MD5 e606975b67224fc62bfb6bd357059dab
SHA1 f2b57d2bd8bd3a558de95a6f3242a0d2cc9475e7
SHA256 cc4a93acf74c51e49e9f68e6b48779bcb27e2cc83cefbdc39d95250bacecaf8f
SHA512 de5925688d12f6b4324e417938d11c43e441658d30c7d4e0d04a911d96223f4c6af2de7a4951ecba5bac3d85049f9cda1a6dbd8ca4236648ec6f652596a23c17

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 73af200889d2367a978cd6e42d3b3810
SHA1 7b37d3e1e2a80eaf1fc71a0805b825fa302a9f3b
SHA256 42d0895cb9851fbcaedcd2220edb6e554e0d08bc2c62a39174b891432db38021
SHA512 fcc800635efce012f5f9cd83225903f307292db4278ff2c35370e5cc0a490bf0b88506a97b3a96bb443d7c2006035b32573ccc21324764c4f3a9a5aa23b06856

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

MD5 38736a3e36d43ef00b57727745c66eaf
SHA1 c50be94bf8740a1e0f5409318a7b9758546a92b6
SHA256 3045686c7097fce6c6d40f3810d535c58cc6b6be79ce15bff59e9911f8af80ed
SHA512 1a3df2ce786bb7ac49d6038f6e7b3e5ba0772f12c0f7ebda0c77c7c849c43032fceedd283a291c8634819fdd9f61d008fab9050be2307ea8ac2e5d8dbe399574

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

MD5 f04241785087a81fa354403e9f0c24e2
SHA1 4cc082b28f1e7615e6125eb284b30f96693170dd
SHA256 147f44f854f77a899beb4442fe7a350fe4b713bfde97b47509b90d91fbd6c9ba
SHA512 0003ee6b74091057c5383f36518f87229e810997097a4bff1caef87cf5c083006cb0858bb335b29dd4ab7c300a224e9750337316c63d8229c126415b26d23ee4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\2AFE87EE06052E1C99E4C0F9FC1832E19231E674

MD5 7eaea68abcb240902ccc22e91daafd7c
SHA1 50114f739f1a55152c7da7767d25c7198159323e
SHA256 fa8aa7cb834cc68c8780a6ba76ffaccf932baff383434cce2698f988bf4a6cd1
SHA512 793886d47f96c1c79a39f2ea3ec6bd271b0050b8d1cbcec9487d7c0f488eaeaac67222a66c90964e25b2b0a180e1070e58fb0dc62681f18819106b310ee11b2d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 4e6d52d6d66c43e3c6b70507b7247373
SHA1 29e291aeefc71d1efd0aeb3adf1a05e3da7c530b
SHA256 de88ad8891208677429aa216706c1014e1b8d02e5c7c3b4932b9c4b6bd465c80
SHA512 157477d297ebde9187f1638a2af24cdce791a451332465b4b9e74ddf4ce667c06955c4337a5a8a37b1471c922e14f14e7c6b3b7371ab3165b1096c1f2772b9bf

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 09fc8a7821998b4b159831fd4fea8458
SHA1 c4e634861c2dd973e6b0bf8c9a9839718d76fe31
SHA256 06f0e1b7f349ced06254bb43880c61c07024b9d63fe315a637b6d4329eb695c4
SHA512 e4d2984d1017f664bea0c584a357e93d1e045d86b891e1adb90a88850cf22ce73dce4c25aaecca5fd3e7bfbf9da6d241715012cf4106ce3851cde8420587d7be

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\addonStartup.json.lz4

MD5 35860b7440797fdf92b6b343858fae39
SHA1 62c24f43eedf6e71b226f0159dbbfeecc152f47f
SHA256 fa8d0fffa1b53a2ef40a65da9e28fe04dd91f053f4784f542714e60b4290f498
SHA512 5ae3d1a8279ae0fdf7954c3cf2279ea9c525e36547c4ed92049f741be6bd46bfef82b40763c7d01e0620dcf356fc9fc45b12be4dce319d4d9b354f6fa15d1a69

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\targeting.snapshot.json

MD5 e0706492dc88c246ede4f60eaee14ce5
SHA1 d569516ba6b89688858f39231b77721cdf06df89
SHA256 b699e7c2dc62bed9049cacd5cbd62e5fdc504e5f168b1ec1b064e60d18a7e76b
SHA512 7b96b24693e37b3b133677b2fdd34c65df4f9ae2b6a2e8b860f10ffeb9b873129aff6aeb7552443745e1e9bb3599edb2c0639cba9d5615a81c79333857fbb6a2

memory/2728-477-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-481-0x00000000012E0000-0x00000000017BD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 e927e39355930933a91017726d2ec446
SHA1 a9880e239220a4680be696d712429b16afd908fb
SHA256 ad37a461a1540820708777b753d605e233110473f1e6a4cc7fe1d6fbcaabebf3
SHA512 bd44faac67b8529372f894514abb6ddf61217f747726f143db3511c71dab6692c4c64c22e01bc66b6af2a06f93a191a0f97e7e18aa20ed68f7d4af7cf8c166ca

memory/2728-490-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-491-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-492-0x00000000012E0000-0x00000000017BD000-memory.dmp

memory/2728-497-0x00000000012E0000-0x00000000017BD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\bookmarkbackups\bookmarks-2024-08-12_11_kKcgUJaYx4JrsBzZ+MJTpg==.jsonlz4

MD5 adb0c9d188e29cb167b20a20edfa5227
SHA1 25a28f4422242beb7bbee504261a0090b94a4d4a
SHA256 d010c1fc01ede7e4423330f5951a99b6d3255921b1ff18325bf2dbc2d3437324
SHA512 6570fbee222d92f53f8eaab1fe9d5435a196081f0d4d8a5279c6735cc5c94e754f803b5080f34bee389fcd67a4873392dd80ac86ff9b84a5f0283ba7a4afd67f

memory/2728-505-0x00000000012E0000-0x00000000017BD000-memory.dmp