Malware Analysis Report

2024-10-18 23:40

Sample ID 240812-frx1ka1djh
Target b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e
SHA256 b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e

Threat Level: Known bad

The file b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Identifies Wine through registry keys

Checks BIOS information in registry

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 05:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 05:06

Reported

2024-08-12 05:12

Platform

win7-20240729-en

Max time kernel

299s

Max time network

288s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\4bdb7803fe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\4bdb7803fe.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1764 set thread context of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1220 set thread context of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\d4b55d499e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\6951581cab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2660 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2660 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2660 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1508 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe
PID 1508 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe
PID 1508 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe
PID 1508 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1508 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d4b55d499e.exe
PID 1508 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d4b55d499e.exe
PID 1508 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d4b55d499e.exe
PID 1508 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d4b55d499e.exe
PID 1220 wrote to memory of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1220 wrote to memory of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1220 wrote to memory of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1220 wrote to memory of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1220 wrote to memory of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1220 wrote to memory of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1220 wrote to memory of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1220 wrote to memory of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1220 wrote to memory of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1220 wrote to memory of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1220 wrote to memory of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1220 wrote to memory of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1220 wrote to memory of 1324 N/A C:\Users\Admin\1000037002\d4b55d499e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1508 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\6951581cab.exe
PID 1508 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\6951581cab.exe
PID 1508 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\6951581cab.exe
PID 1508 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\6951581cab.exe
PID 3032 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1628 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1628 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1628 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1628 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1628 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1628 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1628 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1628 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1628 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1628 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1628 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1628 wrote to memory of 1560 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 1568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 1568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 1568 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 1608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1560 wrote to memory of 1608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe

"C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\d4b55d499e.exe

"C:\Users\Admin\1000037002\d4b55d499e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\6951581cab.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\6951581cab.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.0.223252204\153869984" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a36da469-ee90-45fe-85c6-80cdb053e101} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 1308 120d9658 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.1.1291139743\1041408827" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dc879a9-b3bb-4b4a-8e33-0e5680f329a6} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 1504 e71b58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.2.727964529\1817837209" -childID 1 -isForBrowser -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9cd77ab-0a15-4715-a17c-2157f72e7eea} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 2096 1b4aea58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.3.2127734601\1862376573" -childID 2 -isForBrowser -prefsHandle 2892 -prefMapHandle 2888 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9e4e7be-17db-4368-80d6-0b8f7aaf0ae2} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 2904 1de52658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.4.734154689\283840631" -childID 3 -isForBrowser -prefsHandle 3064 -prefMapHandle 3324 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4408db9e-790c-400f-a575-9b9f24b4642a} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 3652 17edc758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.5.632221550\1317404080" -childID 4 -isForBrowser -prefsHandle 3760 -prefMapHandle 3764 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {baf8b5eb-e880-4212-b40b-3978fb16ff2b} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 3748 1f438758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.6.747275035\1833779120" -childID 5 -isForBrowser -prefsHandle 3924 -prefMapHandle 3928 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad431895-bf4f-4f27-ab02-1c05f198a779} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 3912 1b6c3858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.7.588952137\1504560271" -childID 6 -isForBrowser -prefsHandle 4224 -prefMapHandle 2760 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6c8a75e-7ea1-48be-8605-2ae2ad0a6205} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 4300 1c51e858 tab

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.196:443 www.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
N/A 127.0.0.1:49312 tcp
N/A 127.0.0.1:49320 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5---sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp

Files

memory/2660-0-0x0000000000040000-0x00000000004FF000-memory.dmp

memory/2660-1-0x0000000000040000-0x00000000004FF000-memory.dmp

memory/2660-2-0x0000000000040000-0x00000000004FF000-memory.dmp

memory/2660-4-0x0000000000040000-0x00000000004FF000-memory.dmp

memory/2660-9-0x0000000000040000-0x00000000004FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 71a0c8fa3b7166ee00b2871ab257049e
SHA1 a10d5aa83d11a6a1f661ef5422e8d5455791e897
SHA256 b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e
SHA512 aa95eb6e6aa71fb298babcc9a97cfaf55c3dcd7fd607acafd550a03d21365e0367c89d1da3f41cb26d68a6ef5131e761d1d67b9022cbd1cf599136e25013ca95

memory/2660-16-0x0000000000041000-0x000000000006F000-memory.dmp

memory/2660-15-0x0000000000040000-0x00000000004FF000-memory.dmp

memory/2660-17-0x0000000006E90000-0x000000000734F000-memory.dmp

memory/1508-18-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-19-0x0000000077200000-0x0000000077202000-memory.dmp

memory/1508-21-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-20-0x0000000000821000-0x000000000084F000-memory.dmp

memory/1508-23-0x0000000000820000-0x0000000000CDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe

MD5 db946418424011c782182c76ab8c179f
SHA1 d640d54d341cf6341bd434c9015d23d22156612a
SHA256 bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512 a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

memory/1764-38-0x0000000001080000-0x00000000011B0000-memory.dmp

memory/3032-40-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3032-53-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3032-56-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3032-54-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3032-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3032-50-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3032-49-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3032-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3032-42-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3032-46-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\d4b55d499e.exe

MD5 62c81eb8cd78dbcf5767f84caad6972e
SHA1 9a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256 166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA512 2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

memory/1324-84-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1324-85-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1324-87-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1324-81-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1324-79-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1324-77-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1324-75-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1324-73-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1220-71-0x0000000000AB0000-0x0000000000AE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\6951581cab.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1508-104-0x0000000006570000-0x00000000067B3000-memory.dmp

memory/2244-106-0x0000000001340000-0x0000000001583000-memory.dmp

memory/1508-105-0x0000000006570000-0x00000000067B3000-memory.dmp

memory/2244-107-0x0000000001340000-0x0000000001583000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\ae89e14a-c741-4b22-8b00-79a9fa3195db

MD5 283de8bde38acb273c7098fb9d5717b2
SHA1 4a5041c42645b6707e43dbd85c81bec4df9bb172
SHA256 3850bf5084ed7e4a0d1ee339441ed69cb4cb9aa8c6d7a2c5894c63ac7df1ac62
SHA512 b5a6c30a1ef9ac9e848b19bde6f10e7e58a1670f531e7441479111125470b5bc44797e99779fd7a195ad3196dacd4d4bd7b88261d019e6de4c74a060c969c647

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\8e8a15c4-6ab8-4680-ad91-016a2910e35b

MD5 32d0a35d8f6381274c8ca893c7f04ca4
SHA1 a849a0d7b081824102ed2230181676097542dc41
SHA256 fb3d067be9d5a4e827cc6b398756ae7a19b9c184dd5f049331c65c4fc5dbb58f
SHA512 6910476d93f32cef1c60dc56afeb7f7a68131dc76dcf6e1f62d9e9d2a24abf9376abcf1a03b38980bedeec661ace7e65439d860c561a8f8c38229631f8a271b8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin

MD5 a37ad8c42fbb6ab5c561aa777c3f70b3
SHA1 aede960791738d0da5158893495374f7fd12ec96
SHA256 673c18336be9534fefbcf346870771d5c51c652cf5a94403b7ccd699adad7f12
SHA512 4b7e5fbfa2830c3cb877b5acb63557fe7a4ea52cb8d1af7dbb127d925fe96a8d4fba9f76c2493d20b49a15b05796f3bada616078cadec3abddf95b91a4345293

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp

MD5 03e3a20f3c4b82e87609d7c1d0ec92ea
SHA1 1c275393dab2cdb288eb98dbe2ed5099e6fc2838
SHA256 c4da46ac22f8c4d0b893a5acfb00f9921100c4ef07bdd2abd3cdb78f026a2f41
SHA512 2844ca16920642cfd117cd74f333c1d71aa389cb2e559a2f7c1bc500c995227c49c25cfc424e08455d220ad52969051e66cace001a3c0463d6cb3cedeb904415

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

memory/1508-252-0x0000000000820000-0x0000000000CDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

MD5 92658c74dc9a811547cfd501fd196f96
SHA1 060d73db6cb8e3b791edaf9c70383fe85bf141ea
SHA256 13f9ce7429833b9d91ebe6d2ad5d40e0147592835ecd4d4251fc91df3e15b9b5
SHA512 65e91f2a5db22ed276614cf0d7265672465f76d8901c25334b3ddf7f78107ab0fcae747a3f0b491b3569c651ff71a92a67560bf806dedb7dd796211f0c7f8314

memory/1508-258-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-259-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-260-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-288-0x0000000000820000-0x0000000000CDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4

MD5 239d055b3e3dc74e974ef37debb1b656
SHA1 04dd04d983b3b0bc8c7d549217b90f21d3f0f844
SHA256 b9d36efd47ef9e9f11ba8db02a9b720e9f3a630687a46df967c8464cdf07a01b
SHA512 b71c259acad3cd69a75faa68583b529ac69b12cd63f854879a3719cc7219a912855658818b3593608974ac852b63b6b53584eba4ec875f851eb764b8ac80ebd5

memory/1508-295-0x0000000000820000-0x0000000000CDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

MD5 a85e65ce9c3ceb9e8489e0e161716cfd
SHA1 521b1eebd920fca36d2c33dc676a0a1b9a61e0b9
SHA256 cad9dc6055200d3838c0393423899b377e31dd5a82ffafc51fc7753726dfe8c1
SHA512 ae71b37be8dacd0ccb74b01e50b47342bc392c0ccac0322ef97f83ca07e9208f5b7104d349558117a9423c2abe2f31a4f0443f0355ff035b873121b5a3680447

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

memory/1508-372-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-374-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-376-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-388-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-390-0x0000000006570000-0x00000000067B3000-memory.dmp

memory/1508-389-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-391-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-392-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-393-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-394-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-400-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-401-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-402-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-408-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-409-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-410-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-411-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-413-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-414-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-415-0x0000000000820000-0x0000000000CDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

MD5 d8eec301c8cda35bf0ce5252e1eccc9c
SHA1 78bc22cabef451434577883ba4e09615375df71d
SHA256 cc21053b0629bd11776faf243d54c8b03aab79581c66198ef05767adaf1e94df
SHA512 6a67ac307e410fe396cda21c28531b6d13d386d2e66bdc68b46e09e1a6d04306f1945177b05855ecb41de4d6d66dbe9cde2d51d2c3ce3224077607560eab4d34

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

MD5 41162ccadb00169040dd646b1bd5c49c
SHA1 0af889dec51e8017a176e82c9d48ce15f1e97049
SHA256 ca1c994f15cfadee58d7fe747ff44cc2d8e21725f168d5e09095663500bcf31d
SHA512 9557dc03717cdbe41af3d83cd6ab411b57c8cd1d0499e67a178b87c1d734fb8fc25d4066ed62b97c3e925e236529442a765b133e410be3c0d09fdb365d41a115

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

MD5 21ce1780baa4d90ced22bc633c83f045
SHA1 5be805c966e50f407a5d076df792144a20984e36
SHA256 7b951a4a974057f8d65ec3fb7afab01cff86db6cd7de90bf201a813baa2f32bc
SHA512 78350592819faa631cb32cfb2fbbefde01fedcfb989e0d430fc8d2087569d1d79931e5571b55170041e5773ad101e5bfee85c1b7a82e93c8673a2941ab4fde58

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 43b54205736e29507e5a988fe461049d
SHA1 0a8394728511c8088a6b9fbf79223a498a24ae53
SHA256 0ed1d1df02479f20b01d5501554394a0cc93cdf5157c00dbf74ba08a2b5f8c91
SHA512 13cc67bfa665066bc6d596b5debc9681f294c87b10ac02897180e5ffc2bf3ecca9d3967af08ead51617f0c9139566f7fefd7a504c7c6559277b02717bcf35772

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\37D2E89C1D0242DDB3DF8EE21723247430D7DDCD

MD5 44032a48ac9de37f55498d87971ccaf4
SHA1 aad68955504237a7e012dbee5c01c040d0451b40
SHA256 48e10bdca9375c7fc44c01dcb46b7ead1a9b139cef9d45bfaa640f494ce06b01
SHA512 fd69f58ba4e5a39d9e206a13bfd37754cb60e5bed3cccc33d85efada74dc77f3cbfc881494fd45781d002c7eef8244f0fa44cf88605656ecaa1ad6564d7d9143

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\1E3866B584D906DD8CB8840AB2070142E2DEA38A

MD5 819c2b867e6f889158daa81e82ec0dbb
SHA1 b549d553150c138213a9fb599722e006a4016445
SHA256 12dcae339ca2eb300ff6f78688d86306cab3a8f4e143a9246e1b6c3e46d2fa38
SHA512 535e6a03ed973d560683266c3f52ff80e2d2a51068d0d931edbd8c08bd2f60610b23707e98b45c6b56422fcf7d67bcec9ce5e26c499be57df0d074e4b3120f40

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

MD5 2f7c2f5385bedc79641b7c3114bed4d6
SHA1 69d239bff3bb8d933d5d6156314aed1b8c0e76d0
SHA256 c636d626cb2a5cb4cd9603434ffd6b9f2ca1b4d95eb444494622f7d9389ef6a4
SHA512 41b5214628fd1ab4363bd513006cc3fd1c182d35b2164fb7978b36d8650d1dbcf99080de5a6222adb63ad1039a4d38498964c9accbfa8995f9e66b9118682df2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\552D7E776EF97053734643ADC0C74EEAE5E0BE4C

MD5 bf87a81f021eca94ebe3eddaf321cbb2
SHA1 5fea4dcde86ab8541f60ee599fa22bfbc3cfd788
SHA256 7e29d9328344a32a57ee16f36882f8998f0efa6c974ef0e3f507d90764d53369
SHA512 ec6112d11906cdaa6d42a2470a63539adbbf61c5bb9bc4b79da3f72422a25a76083db5b6717971cb2d2406b1688b70c697ab072672b30755718162dc248650e5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\981FF3057E35D6BAFA9551BD06F32D0A288FBFF9

MD5 90085d292f4e7cd493bb9ed1a44ae389
SHA1 1a2751e04af751865bcec0d683546d6542610754
SHA256 ae3364ffe5d7fe7c0ea13ff557924e5a422eb0ea794afbde11b9a0695c30e6e0
SHA512 47cba5eb63d9448721cf322034537f539d61e7dd85afec754029f99bcc26f5cfba0d36c08aca8a22676089d8ab5068e28b9d1cb4c0dc1fee4281a66a1239d41c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

MD5 8da2defb57478b36c4835c525d59fcef
SHA1 9b41ce64996499f405586d3e519d3a6676176c72
SHA256 496f4203c67c5a2ad8f8d07f73e3801e21c0541a56bd7c0a021deca1328f3314
SHA512 bcb9e6970f8764bdf3c5ce52c4a93944b1f025ef7a5b351d935e35c9c2d0fbd49626a6d28a46af848bbc6984ce235a562442e70d53d6f0a0ef8a876da5fc1634

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\addonStartup.json.lz4

MD5 451345068ee2338192b2ad20cae34076
SHA1 baae501c9a75ecd35f6bb885f000f9b17e84300f
SHA256 0b20523edacbb0cb40e35f1fcaf1accf30bd741fe353bcfc06a3dab18a8ca76f
SHA512 2e17607f964f46f2274245dd4274b3d558d090aad7685eb1f5f60891a196388a53fe3f453fc37650b873325c79ca04b6b88e1817e189dffb931b17ef9cb7e61a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\targeting.snapshot.json

MD5 0658301bb26be1d3c199eb19ae1564a2
SHA1 b84a1e492e7e656372298668971a334367f70ead
SHA256 6f9d8db828d3605857012d9f38b663edc5461f469c7496d2ab4ae5df87c5c84e
SHA512 49ef7a8718c5ff0e712524f0c7307a3126c744a16dc34af39998cda3d70c857132963d5c58a943fa295aa2833a6dbe0a44c7e98d20d965ab2a09137f3b5abd1b

memory/1508-501-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-505-0x0000000000820000-0x0000000000CDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 9a04157e124d7a83a013b7cd6e33f4ac
SHA1 99be893330b6b9ae0cfde69da39adf14bece307b
SHA256 9011c2ccc00f156ac318fb22a52d37e3b131f23ee101d8a1b5616b66db6ccece
SHA512 c965cc9b670a7853c465078cb23831fc018adf04a4b1aa61e96f768e04bbb8ceaa8ed9b5f3457aeb31965eabc9c3e0ee33be567ddd0a50ac83833b524e766562

memory/1508-514-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-515-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-516-0x0000000000820000-0x0000000000CDF000-memory.dmp

memory/1508-521-0x0000000000820000-0x0000000000CDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\bookmarkbackups\bookmarks-2024-08-12_11_xTq2h+S603FCU6C336nrGw==.jsonlz4

MD5 b87efcb27c4625955a16e8cdc79d70a1
SHA1 79b8ea7edd452d86d9087407aea75e612aad92a2
SHA256 98982fa608a6d2ee9e544bfcf5856f62bc003d67861ebb4d63937bbfc23ff8f3
SHA512 97f68c78d98079c31c18eaf47eb1595a646c095a9c400bda4a31f1c42345d6f0ab60187d2a127de21215d29121923f2c4aa7fe30319d0be86a1db601f6b26a80

memory/1508-529-0x0000000000820000-0x0000000000CDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 05:06

Reported

2024-08-12 05:12

Platform

win10-20240404-en

Max time kernel

300s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\fc90da749b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\fc90da749b.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4856 set thread context of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1004 set thread context of 3012 N/A C:\Users\Admin\1000037002\6951581cab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\66881af88e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\6951581cab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2948 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2948 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5088 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe
PID 5088 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe
PID 5088 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe
PID 4856 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5088 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\6951581cab.exe
PID 5088 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\6951581cab.exe
PID 5088 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\6951581cab.exe
PID 1004 wrote to memory of 816 N/A C:\Users\Admin\1000037002\6951581cab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1004 wrote to memory of 816 N/A C:\Users\Admin\1000037002\6951581cab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1004 wrote to memory of 816 N/A C:\Users\Admin\1000037002\6951581cab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1004 wrote to memory of 3012 N/A C:\Users\Admin\1000037002\6951581cab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1004 wrote to memory of 3012 N/A C:\Users\Admin\1000037002\6951581cab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1004 wrote to memory of 3012 N/A C:\Users\Admin\1000037002\6951581cab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1004 wrote to memory of 3012 N/A C:\Users\Admin\1000037002\6951581cab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1004 wrote to memory of 3012 N/A C:\Users\Admin\1000037002\6951581cab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1004 wrote to memory of 3012 N/A C:\Users\Admin\1000037002\6951581cab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1004 wrote to memory of 3012 N/A C:\Users\Admin\1000037002\6951581cab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1004 wrote to memory of 3012 N/A C:\Users\Admin\1000037002\6951581cab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1004 wrote to memory of 3012 N/A C:\Users\Admin\1000037002\6951581cab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5088 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\66881af88e.exe
PID 5088 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\66881af88e.exe
PID 5088 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\66881af88e.exe
PID 960 wrote to memory of 424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 424 wrote to memory of 4200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 424 wrote to memory of 4200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 424 wrote to memory of 4200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 424 wrote to memory of 4200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 424 wrote to memory of 4200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 424 wrote to memory of 4200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 424 wrote to memory of 4200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 424 wrote to memory of 4200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 424 wrote to memory of 4200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 424 wrote to memory of 4200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 424 wrote to memory of 4200 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4152 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4152 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4200 wrote to memory of 4636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe

"C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\6951581cab.exe

"C:\Users\Admin\1000037002\6951581cab.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\66881af88e.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\66881af88e.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4200.0.1235524689\1194870533" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6528481-4215-4e95-a46e-1b0112c47629} 4200 "\\.\pipe\gecko-crash-server-pipe.4200" 1792 27eb75eea58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4200.1.733413856\1406890073" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33be0bf5-9ef8-42fd-99c9-b9a7cccb6b6d} 4200 "\\.\pipe\gecko-crash-server-pipe.4200" 2168 27ea5373958 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4200.2.1767867523\1982242420" -childID 1 -isForBrowser -prefsHandle 1536 -prefMapHandle 2712 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {335dd2c9-88ec-42cc-9966-8ebf839bd5d4} 4200 "\\.\pipe\gecko-crash-server-pipe.4200" 2992 27ebb4f5158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4200.3.1889977537\1194354767" -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 3592 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5219606-5846-4509-878c-49ccb0f00bc4} 4200 "\\.\pipe\gecko-crash-server-pipe.4200" 3608 27ea536d558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4200.4.1771439312\472159204" -childID 3 -isForBrowser -prefsHandle 4840 -prefMapHandle 4820 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3954df5-3dbe-4dd7-9451-d5c6dcbaf55c} 4200 "\\.\pipe\gecko-crash-server-pipe.4200" 4424 27ebeb3cd58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4200.5.432700353\1618554730" -childID 4 -isForBrowser -prefsHandle 4592 -prefMapHandle 4808 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5fd5b88-2943-417e-8938-4cbac4a8631e} 4200 "\\.\pipe\gecko-crash-server-pipe.4200" 4964 27ebebf5258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4200.6.152620598\667972772" -childID 5 -isForBrowser -prefsHandle 5152 -prefMapHandle 5144 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba435a13-7c9f-442d-b73d-6570a2e87b5a} 4200 "\\.\pipe\gecko-crash-server-pipe.4200" 5252 27ebebf6458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4200.7.779975920\1308443175" -childID 6 -isForBrowser -prefsHandle 5524 -prefMapHandle 5508 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1132ca02-d492-42b4-90c5-3eb301dfa384} 4200 "\\.\pipe\gecko-crash-server-pipe.4200" 5532 27ea5b75b58 tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
N/A 127.0.0.1:49839 tcp
US 8.8.8.8:53 205.86.155.35.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
N/A 127.0.0.1:49845 tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5---sn-4g5lzney.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5lzney.gvt1.com udp
DE 74.125.163.138:443 r5.sn-4g5lzney.gvt1.com udp
US 8.8.8.8:53 138.163.125.74.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 23.58.20.217.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2948-0-0x0000000000390000-0x000000000084F000-memory.dmp

memory/2948-1-0x0000000077114000-0x0000000077115000-memory.dmp

memory/2948-2-0x0000000000391000-0x00000000003BF000-memory.dmp

memory/2948-3-0x0000000000390000-0x000000000084F000-memory.dmp

memory/2948-5-0x0000000000390000-0x000000000084F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 71a0c8fa3b7166ee00b2871ab257049e
SHA1 a10d5aa83d11a6a1f661ef5422e8d5455791e897
SHA256 b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e
SHA512 aa95eb6e6aa71fb298babcc9a97cfaf55c3dcd7fd607acafd550a03d21365e0367c89d1da3f41cb26d68a6ef5131e761d1d67b9022cbd1cf599136e25013ca95

memory/2948-14-0x0000000000390000-0x000000000084F000-memory.dmp

memory/5088-15-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-16-0x0000000001251000-0x000000000127F000-memory.dmp

memory/5088-17-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-18-0x0000000001250000-0x000000000170F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\fc90da749b.exe

MD5 db946418424011c782182c76ab8c179f
SHA1 d640d54d341cf6341bd434c9015d23d22156612a
SHA256 bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512 a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

memory/4856-31-0x00000000009D0000-0x0000000000B00000-memory.dmp

memory/960-33-0x0000000000400000-0x000000000052D000-memory.dmp

memory/960-35-0x0000000000400000-0x000000000052D000-memory.dmp

memory/960-37-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\6951581cab.exe

MD5 62c81eb8cd78dbcf5767f84caad6972e
SHA1 9a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256 166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA512 2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

memory/1004-50-0x0000000000110000-0x0000000000148000-memory.dmp

memory/3012-52-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3012-54-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\66881af88e.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/700-67-0x0000000000290000-0x00000000004D3000-memory.dmp

memory/700-68-0x0000000000290000-0x00000000004D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\edd0a9ae-dc48-4ee0-96f4-96f979df937b

MD5 c6714710acf80821405f4075b6175424
SHA1 2a0153d39b99d11ef3a79fb9365d113580f66d74
SHA256 a0f6af4878d2e42bd325e432340528490fad763b96701babf5413a7facae6fb0
SHA512 027f7afbb8bc56b7a77db6ed5502390fc3fc9ab913c20fc8ac274022b2aff242c5b77ba734381b56db12ed1eb307f21e4790ca3a601fd146b321c41209bb69be

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\32237785-9316-47ab-ae5c-5a1f1d5238ca

MD5 58ca6601139e083898eba1847dda8e0d
SHA1 b5b76461f4cecc67f86b06a96e06e4240d275f38
SHA256 ff773a394b03eac772e842b7ebd7c371100532348299e17c4ef530fbf3b04281
SHA512 27534d5f1fae7e68c19964ed9a6cf35ebaeb4203a9bda7adcb1eab980bd4d1067677f452b2378e995018fb54fe22870dac6690e74c47990414520282e4b3d2d4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

MD5 4d18078e82ad394b935cfdfe0c9ecaaa
SHA1 f50706adc2082244e1d3e596e555e3e8a9276383
SHA256 d886464fa32613977e6573cedb5b6814a242c10f835285e8b6899f7c04e92651
SHA512 5ee9465b9f6209ffd35a998c8a12e6a839f0162e3c22efa39148d47155bb3e423a929c738685a62efc8d1eccf5fa6c9b8817fc7667901f812db4b9f4841c88a3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a4627d94b477e3f653435fcf27e2663d
SHA1 d5dc31c0165277e469d92453c556786995e2800d
SHA256 7c1ea6cee0386d6af3cb7523167c2b880592657ceacc4e56edbc2394575c5c69
SHA512 7619d8f8f790c6b47faa75eb3f834640fe6ab684209f2eeb6eff26017c7ebb44972018463bb15d0e7955bed5bde4ebff809754b3c2057d7749bafe82dbe48455

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

MD5 678eeeea908ac1fc9f6e248a45233f8b
SHA1 fd46e63d1e79da85b190c6513d4a3127069c204c
SHA256 c7e4fb9491625129f461aaf0e9c3b4f6e82183a062f075efa63aa3d5d402bab6
SHA512 1dc8bf039821e4d8d9f268242d7b82c820368ee8d9bfafca10b06c013265010e2a476814a6e196bc02af693cce2b81861493b848e96d5cfbb230781936bb65de

memory/5088-197-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-202-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-205-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-212-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-215-0x0000000001250000-0x000000000170F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

MD5 52e7da06db3b6544d4ebd0f1934bebcf
SHA1 cb953386e10950e68b07780add4e4932a91a0ecc
SHA256 f0ba35fc514dbb8ecd7e9ef8eaec69e6b57d02251ebb11072e566daa0271b511
SHA512 ca7b21c9eaef94a6eda8eb451dcdbd82a8d90f99400ce3292232c67ae1fe5a7a2617520af4b541b6e50e001ff67e238cb97d89ad4c878c897b4dbe883098f6b4

memory/5088-222-0x0000000001250000-0x000000000170F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

MD5 89763d273e6552c2612267d76f6dc7e8
SHA1 855100ac847f2c8127206d5c5d078ea328bbc6c0
SHA256 f38798ca745732133540780da9e5db95f5eeb848fe15261cd82cd49b8156336d
SHA512 fb7ae9acbb3cf40676ea97411fea1beace06ddbd21505e8f17069215a4bf8e78c3246fe926801a63d3f105b00fb7fac425b14a6e43d424ad7cd1da0e081a89bc

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

MD5 ef6ef5a2a60562597a4f7d665853f5b3
SHA1 897da8a22e65120a4dbc42dad6d039cdcb15dcb5
SHA256 ae73710450166bfcc8362ba82becb926f27880ccd1813d0b6112cad7358beca1
SHA512 de8201e1d25e8abdc5de8eb64fbd57f26ce8be0fba0f12c3f9ed9acc908dc9d21fafe1251c9b7bc985ee6430e1e96087da1dd73a98c5745918fd8d4315f326fd

memory/5088-299-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-301-0x0000000001250000-0x000000000170F000-memory.dmp

memory/2856-304-0x0000000001250000-0x000000000170F000-memory.dmp

memory/2856-305-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-306-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-311-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-312-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-313-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-314-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-315-0x0000000001250000-0x000000000170F000-memory.dmp

memory/4172-317-0x0000000001250000-0x000000000170F000-memory.dmp

memory/4172-319-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-320-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-326-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-327-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-328-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-334-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-335-0x0000000001250000-0x000000000170F000-memory.dmp

memory/4908-337-0x0000000001250000-0x000000000170F000-memory.dmp

memory/4908-338-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-339-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-340-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-341-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-342-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-343-0x0000000001250000-0x000000000170F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

MD5 b7baf4863569e669f541ad4ac2b00f20
SHA1 55746b9d4d5fafd642765d6a81660415d202d4a5
SHA256 e0a506b0d5fa38377641b34afc86d51a926465c995b3f2130157ad58b31d5a66
SHA512 c6c4cc89f71c7a1aa4e7dd8a2e660f3a8b329769bae41cc7903b04e3536debc32033f25d5dce7e372659abb85dceb9161c3b3d6959941d4e3250750d6ed78fb7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

MD5 384be794115f7b6da5b3e72105e7e5a0
SHA1 a834f6d87085493ff37577dacbcca819aaaf6e01
SHA256 d6ff4cfee6017733763b6c6b4d3a1a76faeb064c750ea1b36b5495473b07f39c
SHA512 847a023eca7b6b5cfce3311ce444f983d492f321312213a3835b932255eef57e6f660d22ff33e8e399d6d231e8ab13ef8c974f4a0bf12bb7ee08f952fde2767b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

MD5 a118d2921ffc92e16490398822b967d1
SHA1 515e9976172e3712b4710851aae491f5249a4866
SHA256 3c6eabc084b5a0f9b0e517d5ead5da3d4ee85044b1e81ec4146bc82f85423b95
SHA512 2639a101e2181b23ecd726da8bbe070b25add4c8b10bf6b033c2451e9388e4891deada996998de150329b9c760f849644fbd252d70929b63a09df336cc264658

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 8498a62f74d246eaf2fdaa17e8a18207
SHA1 2fe874ec0accbeba9d8c89fe315181baf992da9b
SHA256 43d0a399a3870fd22ad377d50b6a172c8d0af30530efdfc6f00d590eff323ef9
SHA512 010a3a1c188ac18b7dd504e6dde68a58c2170036501633138a91d479675c5f2477c819fbf84e693794fe2362fb3e586604bee6a5867819dc005119ec4fb4b1dc

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

MD5 66199c92a4637c44a4bdb86b76361e93
SHA1 d945cadb7c07f55ad13af465dd7f19a9e0515230
SHA256 7e884e656cacf97b3a06837f08ddd2a13a71aacf15acbf2b253f6aecad6df15e
SHA512 98a6138f0c57ec3da030b59bcda8ea44636ea642851f4e0ee935ef0e652ae09054511dc6f5f73d598529bb2a91ec1d25494b6ef3b12d582d5e4ee8657fa0cba5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

MD5 3a79178a4ce6a44c2dd10d3d99a8adb0
SHA1 aae76f063586beef31ef70c7ce1341eddc5ff42b
SHA256 d832f5c845a3492cfcf70c797f350afa854fbc05e9a5d9591fc0c05eec8c2c46
SHA512 0c257fa3f206b8a003603037ffa15114d608b0cfa8b4033a62fd4799f48a75d92eb4ba22d463bc55ca9abdbc948c6229aa77fc3e97283f71de9c97d3600385cb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\broadcast-listeners.json

MD5 72c95709e1a3b27919e13d28bbe8e8a2
SHA1 00892decbee63d627057730bfc0c6a4f13099ee4
SHA256 9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512 613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\targeting.snapshot.json

MD5 21455d005122849a866a7fe5f780fe3e
SHA1 65338e1b19a1a15990c94ad9286a0fac0e3daffc
SHA256 bb4ded9e635967a4ca63dad0f134e7ed7accd9d7cf11318250865796acca24ec
SHA512 38a70dbba5cf72f026b51b03741ebc7400830cc3b48070f70b9839c5c7165c944b37934e92397f5068f68bdf3ba6df35d0ea35d579cee1e01aeb14a948ad4efc

memory/5088-391-0x0000000001250000-0x000000000170F000-memory.dmp

memory/4872-393-0x0000000001250000-0x000000000170F000-memory.dmp

memory/4872-394-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-395-0x0000000001250000-0x000000000170F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 6f539587efb0295f2f6ad892321d66dc
SHA1 5bb73d50166dfb983934d17f203f8d5965fe0f15
SHA256 a86e9ef027554c38f3899ced3a50e97d8ee6e2f68453fa47ef6da0c7eed89521
SHA512 db3b8c4f528a86bfb9698b88be34dd0441bff58d81d088deb287985be018ee6fad21565a107029aa151d6d5bdb5a6390b446f211d1ce9ca423a0ed344efedeb6

memory/5088-406-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-407-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-408-0x0000000001250000-0x000000000170F000-memory.dmp

memory/5088-413-0x0000000001250000-0x000000000170F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\bookmarkbackups\bookmarks-2024-08-12_11_ynjabA+xcPNHPZU1gEyrew==.jsonlz4

MD5 bc3030c50bf86982219a2ef0685a4342
SHA1 f5959d9850ba5f1b0e7ac71cfa35550c0dfb6c85
SHA256 5e38cdcb2dda5e8038815eb31f05ec6bf9d4db0718af6443aa4247fb70d888d6
SHA512 7970c02c7a335c3b1ae73f9363fd3282f495ddb8238947af59828eca4c52345e5ed2801e2b766b86d13f1fd784629ea86dba711711cc0760fcd579e11c0dae8b

memory/5088-421-0x0000000001250000-0x000000000170F000-memory.dmp

memory/756-423-0x0000000001250000-0x000000000170F000-memory.dmp

memory/756-424-0x0000000001250000-0x000000000170F000-memory.dmp