Malware Analysis Report

2024-10-18 23:41

Sample ID 240812-frg94s1crc
Target a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08
SHA256 a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08

Threat Level: Known bad

The file a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Identifies Wine through registry keys

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 05:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 05:06

Reported

2024-08-12 05:11

Platform

win7-20240705-en

Max time kernel

299s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\ee319cb5d0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\ee319cb5d0.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2380 set thread context of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 set thread context of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\a9bed322ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\3463c39ad0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2656 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe
PID 2656 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe
PID 2656 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe
PID 2656 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2656 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3463c39ad0.exe
PID 2656 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3463c39ad0.exe
PID 2656 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3463c39ad0.exe
PID 2656 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3463c39ad0.exe
PID 3044 wrote to memory of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1056 N/A C:\Users\Admin\1000037002\3463c39ad0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2656 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\a9bed322ab.exe
PID 2656 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\a9bed322ab.exe
PID 2656 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\a9bed322ab.exe
PID 2656 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\a9bed322ab.exe
PID 2900 wrote to memory of 2480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2900 wrote to memory of 2480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2900 wrote to memory of 2480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2900 wrote to memory of 2480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2480 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2480 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2480 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2480 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2480 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2480 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2480 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2480 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2480 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2480 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2480 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2480 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 2548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe

"C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\3463c39ad0.exe

"C:\Users\Admin\1000037002\3463c39ad0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\a9bed322ab.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\a9bed322ab.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.0.117122171\562446046" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31ac260c-9ada-4353-a54b-fb893ba6a442} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 1292 115e1858 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.1.692474941\369092715" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18c873f3-dabf-4f59-8c0d-ff78e809033f} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 1504 f73358 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.2.893094459\764723427" -childID 1 -isForBrowser -prefsHandle 1876 -prefMapHandle 1988 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4621c236-ac80-4513-a1e8-db56d72ae867} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 1836 11560758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.3.48218789\1436933025" -childID 2 -isForBrowser -prefsHandle 608 -prefMapHandle 572 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {448d7d3a-b4b3-4a24-9a8a-acb542360164} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 2388 f73058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.4.1985243906\764023589" -childID 3 -isForBrowser -prefsHandle 3812 -prefMapHandle 3808 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b702f4cf-96af-4ba0-bd39-5613517a9559} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 3824 1de0e558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.5.1244208476\101597115" -childID 4 -isForBrowser -prefsHandle 3932 -prefMapHandle 3936 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9788436f-9da9-4269-a2fc-e38f92fafccc} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 3920 2119e858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.6.1879564007\1835320592" -childID 5 -isForBrowser -prefsHandle 4112 -prefMapHandle 4116 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17b622cd-8896-487d-aca9-d7e44b413914} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 4100 21f0e958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.7.609352567\1719480921" -childID 6 -isForBrowser -prefsHandle 4364 -prefMapHandle 4368 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {642f01a8-76b9-4044-8cb0-fdc36ecc602f} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 4380 1b4c8958 tab

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49313 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49319 tcp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5---sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
RU 185.215.113.19:80 185.215.113.19 tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp

Files

memory/860-0-0x0000000000B10000-0x0000000000FAF000-memory.dmp

memory/860-1-0x0000000077790000-0x0000000077792000-memory.dmp

memory/860-2-0x0000000000B11000-0x0000000000B3F000-memory.dmp

memory/860-3-0x0000000000B10000-0x0000000000FAF000-memory.dmp

memory/860-5-0x0000000000B10000-0x0000000000FAF000-memory.dmp

memory/860-10-0x0000000000B10000-0x0000000000FAF000-memory.dmp

\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f19c5b8c97857169bbfc5aea1e12d2fa
SHA1 6895c85c50e0214bb4b144067edd829a70cc5dcd
SHA256 a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08
SHA512 e33440c55909fe053745c71220701663897eae4f4e57c1d80d02168cd93e15934643fba20cdd5455702c57f4c3474def52b72a13c65f51addb3a680deb21b0cb

memory/2656-17-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/860-18-0x0000000000B10000-0x0000000000FAF000-memory.dmp

memory/860-13-0x0000000006BD0000-0x000000000706F000-memory.dmp

memory/2656-19-0x0000000000BC1000-0x0000000000BEF000-memory.dmp

memory/2656-20-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-22-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-23-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-24-0x0000000000BC0000-0x000000000105F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe

MD5 db946418424011c782182c76ab8c179f
SHA1 d640d54d341cf6341bd434c9015d23d22156612a
SHA256 bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512 a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

memory/2380-39-0x0000000001130000-0x0000000001260000-memory.dmp

memory/2900-41-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2900-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2900-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2900-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2900-49-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2900-57-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2900-55-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2900-54-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2900-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2900-51-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\3463c39ad0.exe

MD5 62c81eb8cd78dbcf5767f84caad6972e
SHA1 9a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256 166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA512 2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

memory/3044-72-0x0000000000050000-0x0000000000088000-memory.dmp

memory/3044-73-0x00000000021F0000-0x00000000041F0000-memory.dmp

memory/1056-74-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1056-88-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1056-86-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1056-85-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1056-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1056-82-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1056-80-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1056-78-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1056-76-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\a9bed322ab.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1052-107-0x0000000000E00000-0x0000000001043000-memory.dmp

memory/2656-106-0x00000000063A0000-0x00000000065E3000-memory.dmp

memory/2656-105-0x00000000063A0000-0x00000000065E3000-memory.dmp

memory/1052-108-0x0000000000E00000-0x0000000001043000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\datareporting\glean\db\data.safe.bin

MD5 445d8376bcbb7960d48c64fb6b4b1391
SHA1 6ee907c84c41dc3493420220ed22d86daddc6f09
SHA256 42378b9534cae033c921c3a06c413fd280e68bdb8fe6068d5f78e313638f17d6
SHA512 c085f4022b5a0cf8c1ce0ad6bba13108a10e975197798a80361fef81d642da79bb3074e849fe0e0518f7ce1b662d7849816b9ed6b5b80046bb9d88c7c4b6b2ce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\datareporting\glean\pending_pings\9507cce1-d512-4475-ad67-c75704db05ba

MD5 7e7130fb3edd2875cdbd9660eff7e15e
SHA1 3c443b27793d1452e1feefababc4c9fc458649f3
SHA256 f66ecf87fd0bd86ef91b8ae3ab01a70332fad46b7cdf2c270cf5f10c241a7df1
SHA512 73f9f0c63261adfa10851e41de751c2b6dbf50f67fbd2f869c064be0a590613ff06a8e0824a7385c82da2475935818547e52d34ad3229afbf1659f210d37bf15

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\datareporting\glean\pending_pings\2e24c821-2d17-4445-8671-b4c7186cf18b

MD5 5e0152985062651095139db02b46789f
SHA1 ac81394bd6ba7e55931270d59d02c624100e8441
SHA256 56a641bbdcd488a415d505b4752dc72234590b913e7dfb312d72f953034a025d
SHA512 a39505ed8a5382c93a2eea60ff7864f26425c98c74b2acfb3df422ff0c9e4beea8da3db65956a47b8be6900589042c167b8d17f052eab376757b5b5cc89ca357

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 d2733b4fbeb4e439049cc5be9c8e2441
SHA1 d785fea6f76422ab46f2c4d690c55f66f8ac2d4c
SHA256 540fcec1bebb679cfa2430462d03751d62efa79800744e3e5006756713823918
SHA512 f2de8de63e5524e6f397d28f5d0db4d8d66cef8ca29db373fb68fe4a36f6490e0440ea37f5e5defc5f6b8440e4c374b7e61279397d5f6c25e62b940b62b3302a

memory/2656-197-0x0000000000BC0000-0x000000000105F000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\activity-stream.discovery_stream.json.tmp

MD5 4cfc61b3c74023c65ce45cf7b4be13e6
SHA1 d074ebf92f816dd3b00b7bf0a78fb436e0c3bc11
SHA256 002e5fd1f4ef567363fb381448ee09f3ebc1cd6289e92289f60d070b1eeca786
SHA512 64b35d5627090eb4db04f81cdb8f4007302fd200d36fae6abd7c3de8bad9669d58fb66ec33289ae9af4d876db079ded0237330499fa028509fe2350c4141aeda

memory/2656-237-0x0000000000BC0000-0x000000000105F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

MD5 703b8e4e677f45857bf0496493b1e719
SHA1 c27b36be80776cf719039b72d7e1a45cfdecdeec
SHA256 842add14bf40c0bedc9859fe97c38e6efea85b442d139ce01a21152935b1b456
SHA512 d0dcf297a3a21f1a9237bd6cbc71ede652104baceb23074a44ec28835db868e4e3bb8b7caab56f492f372bd35695bb2147a733698ea4e9592e7d8027719d5a6f

memory/2656-254-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-255-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-256-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-267-0x0000000000BC0000-0x000000000105F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 72777279e2f5690f149508ea19f29886
SHA1 beb9c0f1068a20c3a5e545360885558af3cc4332
SHA256 c2b758bb47bd5e6871501cdd1e904549b4097e36873c2a701136038d78f7924f
SHA512 8f8c20b17c880e9e725554c91ab22f322ee0473ab584a075fcd2ccc993f1cc562ea94da1fa4895ce4684642125fbe9d5ebd19ad5c80d53635322f3f132478ba4

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

memory/2656-299-0x0000000000BC0000-0x000000000105F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

MD5 5ee4bdfdfc61ce154be6829e79c850e1
SHA1 4a1f30eeea731875521ec69c1007e9d07053dcc5
SHA256 1bef99d75ed687a8a3bea4951cbf0a1f3faba5778e91e0893ac1d6f22ae45e5d
SHA512 c1c84db7de3262c2b45aa2ef5524e3a77bb6af3efd65307bfa6fb1029fbdfc88d5e5dc778b03af4dba4aeba041048bbd333ef4737a1a347e57baf2bf3dd2d79d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

MD5 d493dd71b0b867f909f10e782c06821e
SHA1 f58ee631625c9bee7a28a216393df67062c84ed9
SHA256 1c4017ba2afb650e9fb30627fe1f79f5c66e43e578fe071bc0fea09cf49abc0b
SHA512 7becbe5f40ae658669fd5bdae1cd96361166d0eb536c0ad29ecad026055d1d52ba030996f8440b8ebce1f5a0a2684d1abf40bed11a5618bf995afaea47b34c8a

memory/2656-354-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-356-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-358-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-370-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-372-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-373-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-374-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-375-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-376-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-382-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-383-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-384-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-389-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-390-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-391-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-393-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-395-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-396-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-397-0x0000000000BC0000-0x000000000105F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

MD5 b73304ceb98de8aed2906377733ec46f
SHA1 8b7125bc4fee961fccec00c8db104e23eae905be
SHA256 a81c41d500172be77b03a80b7bea79b5aeec7c3ed8f9c96c8b7eeb2b80188e90
SHA512 ee7cff16a41df5ec80d727ec3523dfc0805af96e89ddffd9f15182f528da1a7646ccf81843d666b0641187fa81abd848e9ac24f8bb90f4650c1674ef026c2df2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 7323a679f2823662a1f66ae6f4122fb9
SHA1 cfd2571abd5d7c21a8a3dd4ec97ffeecb34e6bd4
SHA256 2b252816c77cec54d576141447dd937f2450dc35126f05777e8493a2b0b1d160
SHA512 befca88a634fde603a7f045aa0c384619393cea069b0c2e8cd4748b2af4ddfa1ca99631a4bed9e2d86fe25c10db86f863a4763cf17e9fb294c0caf9a90ff36b5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

MD5 f42edf712252dc4197986aeb13772b59
SHA1 b240d8043390ba02704dc178694f0fca554a5bff
SHA256 5ab6ad54d86c3974acbed5730a1900f3ef266ae93e29c6c8e8feb5f0ef9b0292
SHA512 2b07b44f698b519fd7ea7aa1abe7a1ed9cd7645ebc3874a4dfabf449eab917685ecac07e21cadc7fa44de666f82ae367be9572dbd67f6a3d23c6e98e30fc4c7a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

MD5 021344f3aaee97b8c4297566cb148eee
SHA1 277eeb1ada38c46d20f6152a9959092329b077ec
SHA256 bc154ef4ec5f44089e467f56c6ae95b05379e304edcc137ad9493b0b32c109ac
SHA512 18422ba43265c81e07097bd4b57d12a221b8a8fe0a63188ad139a0617fa1fb463ad1d421debd4d90869c9e631e25188765aa76fe3a6b1ddd2e97826f57d6525f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

MD5 281b72ee3ead4a01b019a47f81352466
SHA1 ff0cbfb06c23fac42a2e3dac6d152e7003511e4e
SHA256 0eb504cc05ca3123f1e440ea3a321801267251a6eff6acc68c43bac54625e954
SHA512 5c54ef3b8259399eb5926a91afe2ebec42afb37205b27e913f3a4dfa9641c4e1e8aa2b5ff90eff9d051c30cdb48fe9e43d686bcb44e1beb37dac8541c46d6b15

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

MD5 537f20568e8d56901f42517220660ba9
SHA1 10c08141f76289b5b2ed1271496a6e29623b4104
SHA256 0f125acb50c474b4d07769cdb7e2a1900c305f2f3d0b6a224b7e9f41781fe508
SHA512 1274a43614e6020651bda8140f38c4fb38ef156c453afe6615ca32d8aefe8a04503371441c676e3b322175e1f3533b9694ce5a2eb10afe8d33a00a0d52d2b2f0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 711c4cc6d8051fe21c47d194eb43f6d3
SHA1 1e1ece970a901824dd725ff9d1d1d0fe7b286cea
SHA256 479e986b1f447cf8f1e60b9f6f8f8970db35482ed9862ee168f6cc5dab122709
SHA512 91032e8fd052caffc94d6a9d37103bca0a43578d46eef632d1404141a87f7b6870368c99c035df7bf4ee8b1fab9830045037e91ccbf6e4fd169ff8b5851109bc

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\AA7662676C412E5EC4DEEE18BFDF4261862A08C8

MD5 a78413d162c89cbb4bafc78e366f68d9
SHA1 e5cf224ff2b19095f120d177a5b9c3587be993f7
SHA256 23cf9aab050422eebbf01dcadda219b125858c59dc8f36423777242652293434
SHA512 876b1cdf3cee6232a521f5d3873417f61a189ae92cd268b2942368bc76f2470f550923a2f1f815c1b6097054e37deb14425229da44b4a4e71d7e9e66d105ffc3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 109781a51e23cfa1bbe82fcc4ea235a0
SHA1 929689bfe7c4414f367b96afc3990c979b03da07
SHA256 bb4a13c444e1dffa2e78517616d51c5bb5f41d04df337689bd1f2fcaec6eeb2c
SHA512 28f70349f4a7f9be6f44f24652ea3f83b71c8fa79fd664f6c1ffdd3b55cff84f2e08cd509fde4cbd04b87c9b67d28989a6ab55e7662acc70fbc7644a23616ff9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\targeting.snapshot.json

MD5 fa263fcfe04d8f760ce3cc07534b4831
SHA1 bb6e5e6a206d744c012c98b2e165b83065d2ba3e
SHA256 366a419f8a83e8cd068055df9bd8ba84f581dfd78c1257b4c2e1c0e01c84b99c
SHA512 880022cd85b63e1ffef131abdedcee0fe19eb8229390bbb4bbe74c223ed0b43b3906079e1d20a9a4d2c0d4a8efd8a518815be051a9be7a985678e62672e192ff

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\addonStartup.json.lz4

MD5 35860b7440797fdf92b6b343858fae39
SHA1 62c24f43eedf6e71b226f0159dbbfeecc152f47f
SHA256 fa8d0fffa1b53a2ef40a65da9e28fe04dd91f053f4784f542714e60b4290f498
SHA512 5ae3d1a8279ae0fdf7954c3cf2279ea9c525e36547c4ed92049f741be6bd46bfef82b40763c7d01e0620dcf356fc9fc45b12be4dce319d4d9b354f6fa15d1a69

memory/2656-465-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-470-0x0000000000BC0000-0x000000000105F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 cb1b75b915b683074a0ff9a3de3e3331
SHA1 69250d39e214cd1deba64352cab1d15435f88766
SHA256 750c36a8f222a4e33410b4da91e9d1aaea11dc4041769e17cd6a97ee0782eb14
SHA512 2c7b4fc682590780fca4e93233d5ab162cf016280f79804c3a2947ad9e8b40edde7694973a7cecce317e1166a966ab5e80052667abd2cf1cea0cc5cae6633184

memory/2656-479-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-480-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-481-0x0000000000BC0000-0x000000000105F000-memory.dmp

memory/2656-486-0x0000000000BC0000-0x000000000105F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\bookmarkbackups\bookmarks-2024-08-12_11_L2sLur954nYBdQ3s4g+3lg==.jsonlz4

MD5 ecd71170c37ebb24f04d6d8ba720b793
SHA1 5d0d3c42d121d7d5aa06f6b6c16a8f158ea29972
SHA256 293e5875f539e4982d26fa3729c0d68477bd41f1b25ce8ede3c5149f6cac6d21
SHA512 564c63c165bd972bc9f5dbce1ba0c6ffd163e6a18c284c0388ac5addc86b935ed05a7ce1c5e01bc0ea55d0fa33fbb9420cb13c9f409601e09b0cd2befecfe6f9

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 05:06

Reported

2024-08-12 05:11

Platform

win10-20240404-en

Max time kernel

299s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\0647b321d4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\0647b321d4.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4592 set thread context of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 712 set thread context of 4440 N/A C:\Users\Admin\1000037002\d196e303dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\d196e303dc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\0c3354ba85.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4588 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4588 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3496 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe
PID 3496 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe
PID 3496 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe
PID 4592 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4592 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4592 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4592 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4592 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4592 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4592 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4592 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4592 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4592 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3496 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d196e303dc.exe
PID 3496 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d196e303dc.exe
PID 3496 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d196e303dc.exe
PID 712 wrote to memory of 4440 N/A C:\Users\Admin\1000037002\d196e303dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 712 wrote to memory of 4440 N/A C:\Users\Admin\1000037002\d196e303dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 712 wrote to memory of 4440 N/A C:\Users\Admin\1000037002\d196e303dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 712 wrote to memory of 4440 N/A C:\Users\Admin\1000037002\d196e303dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 712 wrote to memory of 4440 N/A C:\Users\Admin\1000037002\d196e303dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 712 wrote to memory of 4440 N/A C:\Users\Admin\1000037002\d196e303dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 712 wrote to memory of 4440 N/A C:\Users\Admin\1000037002\d196e303dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 712 wrote to memory of 4440 N/A C:\Users\Admin\1000037002\d196e303dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 712 wrote to memory of 4440 N/A C:\Users\Admin\1000037002\d196e303dc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3496 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\0c3354ba85.exe
PID 3496 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\0c3354ba85.exe
PID 3496 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\0c3354ba85.exe
PID 2744 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2744 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2252 wrote to memory of 1548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2252 wrote to memory of 1548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2252 wrote to memory of 1548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2252 wrote to memory of 1548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2252 wrote to memory of 1548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2252 wrote to memory of 1548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2252 wrote to memory of 1548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2252 wrote to memory of 1548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2252 wrote to memory of 1548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2252 wrote to memory of 1548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2252 wrote to memory of 1548 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1548 wrote to memory of 4820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe

"C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\d196e303dc.exe

"C:\Users\Admin\1000037002\d196e303dc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\0c3354ba85.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\0c3354ba85.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.0.274293778\1692522620" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1700 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ad34339-c9a1-43b9-8a7e-626ab5aed5c9} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 1824 2ad242fcf58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.1.1484808966\2062191419" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9932ce18-28f1-4c0e-a8f3-7ec0c72430af} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 2200 2ad241ee558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.2.1977859984\1048470301" -childID 1 -isForBrowser -prefsHandle 2808 -prefMapHandle 2928 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46bd7f40-1d1b-471b-9730-4b54eeccc72d} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3036 2ad24257b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.3.2144126492\2091524018" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3556 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a802fdff-5ef4-4b8d-b50e-055a9260e09c} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3568 2ad19370e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.4.2103145056\1612165216" -childID 3 -isForBrowser -prefsHandle 4876 -prefMapHandle 4832 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81cea882-d1be-4bc6-9cb5-ea4b9f9fcc62} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 4888 2ad29f3e358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.5.1876106620\1876906991" -childID 4 -isForBrowser -prefsHandle 5044 -prefMapHandle 5052 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ef0562e-bd6d-46cb-876c-183f504b97c0} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 4932 2ad2b6c6258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.6.1069174573\87113525" -childID 5 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2703623a-5d17-4f4d-82fa-dc63c4c30c28} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5240 2ad2b6c9258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.7.1996055712\1048342376" -childID 6 -isForBrowser -prefsHandle 5488 -prefMapHandle 3188 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a310e41-a4b0-4eb0-a727-9655cee65946} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5072 2ad19941b58 tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49828 tcp
N/A 127.0.0.1:49835 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 161.99.165.35.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5---sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 138.163.125.74.in-addr.arpa udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp

Files

memory/4588-0-0x0000000001010000-0x00000000014AF000-memory.dmp

memory/4588-1-0x00000000777B4000-0x00000000777B5000-memory.dmp

memory/4588-2-0x0000000001011000-0x000000000103F000-memory.dmp

memory/4588-3-0x0000000001010000-0x00000000014AF000-memory.dmp

memory/4588-4-0x0000000001010000-0x00000000014AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f19c5b8c97857169bbfc5aea1e12d2fa
SHA1 6895c85c50e0214bb4b144067edd829a70cc5dcd
SHA256 a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08
SHA512 e33440c55909fe053745c71220701663897eae4f4e57c1d80d02168cd93e15934643fba20cdd5455702c57f4c3474def52b72a13c65f51addb3a680deb21b0cb

memory/4588-13-0x0000000001010000-0x00000000014AF000-memory.dmp

memory/3496-14-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-15-0x0000000000AB1000-0x0000000000ADF000-memory.dmp

memory/3496-16-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-17-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\0647b321d4.exe

MD5 db946418424011c782182c76ab8c179f
SHA1 d640d54d341cf6341bd434c9015d23d22156612a
SHA256 bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512 a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

memory/4592-30-0x0000000000680000-0x00000000007B0000-memory.dmp

memory/2744-32-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2744-34-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2744-36-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\d196e303dc.exe

MD5 62c81eb8cd78dbcf5767f84caad6972e
SHA1 9a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256 166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA512 2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

memory/712-49-0x00000000001D0000-0x0000000000208000-memory.dmp

memory/4440-51-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4440-53-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\0c3354ba85.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2616-66-0x00000000010E0000-0x0000000001323000-memory.dmp

memory/2616-67-0x00000000010E0000-0x0000000001323000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\d3fe9c32-c113-4f48-a644-2be37c79872b

MD5 f130737059d3ebf435f35bf739f6879a
SHA1 f2d9ac75c9e4db04c9825c4d96ab0002d3a2cc4d
SHA256 1ea9112104bd2f01ef4434dccf6c410e99fa2f2dacec376abee80dde413dcb38
SHA512 8cb551401022cca9ec07b36002778d57833600ddf7a7319844489fff5b9c2fe57e9714ce2201d4a86e96018d0601275af1060ad593b1209436cddbe058969239

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\45da6d76-6e53-45d0-aa47-4641d2ab975d

MD5 f37969ba041536486405d18417e595e3
SHA1 e5cecea5d3ca051232f4a47d31fb1ca496ba4573
SHA256 209552e50a726e9453d073316876ed24c0ff8a04f47ab8ca368829541d20025a
SHA512 683dbe7dde97e24c479d1a0ef60311ab884a56ced3dd8e075a93fa5d0c9ba207e208f870f7018acc131766b9a6ccbd0e05aa31ece69e055075eb7b1e3448ac22

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin

MD5 9c73288cf6eef4c8ec8ba15e073f73e2
SHA1 a614bfc509d200abc6b67846f1e76fc251ba1c99
SHA256 5b9c8937a3fc3341e9fff1c502a2fd0279d278e46fca1368f91983bf27dd3c64
SHA512 7740566aeb33487faa550f074ee0451675ab1ddb641e297b04464aadbb1848ece2db6ad2f1ddd2341975bffbda53e5a20572d95972168a39b71fd08208e4d918

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 69cc4ce68ce55e681c368d219f32a10d
SHA1 28afdfa7d331fbb72dd993ecefea313f2799b446
SHA256 d4e13af44e4664821cf15715fbb0038aa5d3f03e3b7a15a7efd4745d77a4b8d2
SHA512 4b1a2f353f0d8e1efbd9f1deafc551fdde86bed7d32662d025640b67c3a9e71e0c635a3fdab10196eb32ef5870fb58a6973c8920c7f42adbbd537ffb18c399df

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

MD5 c26a2a8dca0de173ade1fa04557f113e
SHA1 8f1565b204c47e424bb96df09f4646f231e996ac
SHA256 37b1ed81a0459e069107d0c06a4fac33755788f0766a3af1ea6549abd2f9a68d
SHA512 24302c0c1e5660de45f96c2f85b8788a7ae663bb33366a107a2609896c18a065d6ee666f42323108558eafee9ce6c45ca72388efc5922ccd11c3e1013ff1bfb8

memory/3496-189-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-194-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-197-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-208-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 73dd6c923f924fcd7f5a33352de0c554
SHA1 2cf50cd56819cae6b1d42138bf8c869739d30ee2
SHA256 f6168f3a9110dc9942c5e6c130d3cb718a6f6e3804137a880b6a75b1dd454daa
SHA512 202f9de9eeca9b809f89eb217f103b28a651d3290669144d77d7b661b78ba0ef8894f3873e6ec3b492e35d87873af34b3997a047eaf7696e3a2d3b476b68b4d0

memory/3496-214-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

MD5 f5cea2b4cd90c2711e47b3523bfad3e2
SHA1 0218e72ed8a2e644fc0436b6942933e54b16ad95
SHA256 b382d952047d2363845bbba5639b98da8c02be0abb3ece6f37adfdc8324ef805
SHA512 bcbf50c074cb6c24ddd0b45b81c33d11915f4ebba0c28c02f65b275153747854d8471f3cb5e1502428f27ef4061506dd7b47ecaa708a2987d1330b608ccc6128

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

MD5 31fd4ea298ef2d5e63e1aaa620eaa398
SHA1 48a52a665bb69c000f197930cae98c5abdee835a
SHA256 b56159ff50b87269fbf1e226473a5e39447e7746f935837c8e390945ebb734cb
SHA512 ac8c8a5c45fe85d4e090caa1125c6756288dec67eedca12c2ecca5299a2da0b6f0b460d4111bf42a18ddb3d42b1330266b6a516b3ab566089c07252f44024ade

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 1b6634af03eaf3c51c01ead40132ce98
SHA1 99383e9263ca513ac687c6d58baedfb66aa97675
SHA256 f8ffc16c62f777b7355f7885184f9997e4c41c809d41fa9c1308095d12a2635e
SHA512 5d35abed9962e3880884c89e9f542384716371e5a6bc9d060bbf6c7affb1cc084826a2211b15b3f516ce66cc997994d427675d20b66b4635d75d9e3a582a799b

memory/3496-305-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3808-307-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3808-309-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-310-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-312-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-317-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-318-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-319-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-321-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3516-322-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3516-324-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-325-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-326-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-332-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-334-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-335-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-341-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/4128-342-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/4128-343-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-344-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-345-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-347-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-348-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-349-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3908-352-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-351-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3908-353-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

MD5 3a3edd99c544c77cbc69aed1190697dc
SHA1 0d02866063543e94ac38ddb009c29b599c1f003f
SHA256 2d08db5fff328e78b5d5cb6c94a7f0fe1c87faa2548e4f249569a04f022507f0
SHA512 180f07c2b1195e6572b25ac20118e6c1c1bd707f681fcbfacbb8e3d6a172e9a3f5d41a155959c885b4f57989ad4ccad7a5f0f51276fe7bf16e5a95fd2d04ff62

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

MD5 5dc16a1a193f3b0a360fc42a94bfbbfb
SHA1 1e35501c660f7b46f30f4ebf8a8af5ae1b384fc0
SHA256 e436ebfa7beed3185e773ee78ae3548cece0a14c42ee191f8d35beda43799cc9
SHA512 f46f66b0474b776dd6d014ddc1345235e9a061930ea03614d4e914645b3905662d9e367170a30ae6ca5dc3f877440ab86bba53db0e7d73cf1c01f9d1071876bd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 0d07344bb72477b3eda49156f7e2340f
SHA1 f93bfa66be77315f99e72c0fa34a1371fe2f93a6
SHA256 22b2efb6e486cedebe9ad2ed9a1e6d0676b8ff9fdde9ed1dee02038ed8cf5e5b
SHA512 c158defb6ca89b30aa59d971f26f981ea489de22ead2f66eb4815d645d98e418f72f1c4b9201bb6c081f75bfdd26fc6c32079fc6f7e8255b9a0c5ee8372d83da

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

MD5 cbb9077d7df5ed6ec7809a5f95aff763
SHA1 886d7b50a03f4d39a37d3554243cff8d9102bae6
SHA256 e01adfb997cccc7e3b298837a8953ece35191f0542f1c03168e7c25a21a699e7
SHA512 a63e780c56be4e8f5c52bb280a5226ed8badc44f977a97a05200828063eae8a224990b481710dba91980b3000160ee8b61950d09f4860a7bb6a9b4df230b9dc8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

MD5 022d820419bd24f738d93ec867ee9698
SHA1 570c6ab8ef26064da104be92533006ff0436f111
SHA256 0559db012ea3cde2eba4f98f6092e4a3c3f6cfd1f1f387f505e035f987030747
SHA512 9c758244ffe347f660e4a1192bad096d6408d405ce2898ddd2c045e091234ff4504f0f019728cc7340d4d309df79a0de550d599cdd7e015da3c768d465d49731

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 9bf768d6483f2703e0f98067db6fd293
SHA1 1672d456507b925668820bcfd387923ae538497a
SHA256 ab12c6b3b8508a7d269c8f463274e138a2d42ad6c7b9296e0e44932e5289fd79
SHA512 36ca07802cbf469198a8f08bd74f137870045b43bc47d39067796cb3d5f7392ba6d9a25c46afcf0013c734d9f79cf3c5558c2e7ef544036b40f919d549aec62c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js

MD5 ee033682a9209215424fe759a6fd2ff3
SHA1 7d359bb8eca0816e815aeef8bdc17ef5e0422eb5
SHA256 2012c9151bc889cc1d3cff6f0a6b080f939107da858190f6a0449aee4453c662
SHA512 702c209483dc5c1872ca6612abfdf9fbc728351bbf55a61f0dee767f39f1ff703db5ca5328b08f74494678452d1cdef5067f54c8b894825bed1ee07cf094f0b5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\targeting.snapshot.json

MD5 432745bc7f52fd0abdfa516ac8b78c39
SHA1 86c82719777b50269b2052a641d21e2ff8f105c1
SHA256 3ecdb30146865539ee3215e95315363c93b63b5d02c90c915a4c841079f6b2d6
SHA512 e1cc7711c83be9433a529e3f9aefdd836305062201367f9e24e94d2dc207ded5c04b5fa8c14ce656d03cd0d1056b867f09e2ea03b2ec4c0446b44a50eae66e67

memory/3496-405-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-406-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 88ef70fae4eab74a3127819240f2a88f
SHA1 d8fb7bb05dd247d83706c68977c3a1ed8ad75a7a
SHA256 7873f1400a82fc84ae717bf687d5b3a770caee003b0fbe589dce0fb594cd2f71
SHA512 2f68c7a2e268ea57a7639912183d050cb12f4995643fe2cb8efebff96addbcf31dcb5fb16ed136711cedd4b603982b9d2be77577fdba46b8968ca6aa332a1024

memory/3496-417-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-418-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-419-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3496-425-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3860-426-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

memory/3860-427-0x0000000000AB0000-0x0000000000F4F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\bookmarkbackups\bookmarks-2024-08-12_11_MaaMR8mhAQTbCgvsLumwIQ==.jsonlz4

MD5 838d93fe7f64f4f752cc6aa88379ef54
SHA1 55f0a2bd40fd96e3a319f886a58891fd9d416c0b
SHA256 1b13e0ebb1dab164edd26588e55ea99c9909f18c56c9a3478937d96719d9a54d
SHA512 8a4fddabc8792bc2fdc4868e1873f415614c3dc08bbb50272b64fbab124b4516ab0e3be04f31cfb8e02e7b653bff231053208d1638dcf0372439dcec71d33f00

memory/3496-435-0x0000000000AB0000-0x0000000000F4F000-memory.dmp