Malware Analysis Report

2024-10-18 23:42

Sample ID 240812-vxl8ksvhnd
Target 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6
SHA256 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6

Threat Level: Known bad

The file 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 17:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 17:22

Reported

2024-08-12 17:25

Platform

win7-20240708-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\8a527b58d9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\8a527b58d9.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 572 set thread context of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 set thread context of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\d3efe039e9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\de9334a9ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1488 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1488 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1488 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe
PID 2804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe
PID 2804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe
PID 2804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2804 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d3efe039e9.exe
PID 2804 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d3efe039e9.exe
PID 2804 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d3efe039e9.exe
PID 2804 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\d3efe039e9.exe
PID 2836 wrote to memory of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2836 wrote to memory of 1464 N/A C:\Users\Admin\1000037002\d3efe039e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2804 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\de9334a9ef.exe
PID 2804 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\de9334a9ef.exe
PID 2804 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\de9334a9ef.exe
PID 2804 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\de9334a9ef.exe
PID 2728 wrote to memory of 1812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2728 wrote to memory of 1812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2728 wrote to memory of 1812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2728 wrote to memory of 1812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1812 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1812 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1812 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1812 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1812 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1812 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1812 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1812 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1812 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1812 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1812 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1812 wrote to memory of 1044 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1044 wrote to memory of 1704 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1044 wrote to memory of 1704 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1044 wrote to memory of 1704 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1044 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1044 wrote to memory of 2520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe

"C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\d3efe039e9.exe

"C:\Users\Admin\1000037002\d3efe039e9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\de9334a9ef.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\de9334a9ef.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.0.9265799\1344171379" -parentBuildID 20221007134813 -prefsHandle 1252 -prefMapHandle 1232 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0bd0e1a-a576-4702-afc2-4b4223d277be} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 1364 fedd558 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.1.411113490\1513952049" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1528 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5efc165-5426-47e2-8de7-e1b777999d27} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 1544 eceb558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.2.1945659457\892370061" -childID 1 -isForBrowser -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d20c0b9-b502-4460-b0f7-29be4bf6656a} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 2096 1a493958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.3.1326034224\1781863811" -childID 2 -isForBrowser -prefsHandle 2880 -prefMapHandle 2876 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7df132c2-9c3a-4732-91f4-b18e8ee03d76} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 2892 e6a458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.4.1411214870\2120150909" -childID 3 -isForBrowser -prefsHandle 3864 -prefMapHandle 3860 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa560bdc-298e-4c0d-b799-0c27d1ecb67d} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 3876 1ff64d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.5.1962333114\1852508815" -childID 4 -isForBrowser -prefsHandle 3988 -prefMapHandle 3992 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6649f61b-a3ca-411a-bdd8-360b1627f464} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 3976 20e69758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.6.861636520\843849148" -childID 5 -isForBrowser -prefsHandle 4192 -prefMapHandle 4196 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61130462-718e-45f9-b0fd-97f621d20b16} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 4180 20e69458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1044.7.360924537\612027751" -childID 6 -isForBrowser -prefsHandle 3828 -prefMapHandle 4216 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5944bf74-f33d-4b63-b45b-15d39e67aade} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" 3992 1b36b358 tab

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 accounts.google.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49311 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
N/A 127.0.0.1:49319 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-5hne6nzy.gvt1.com udp
US 8.8.8.8:53 r2.sn-5hne6nzy.gvt1.com udp
NL 172.217.132.167:443 r2.sn-5hne6nzy.gvt1.com tcp
US 8.8.8.8:53 r2.sn-5hne6nzy.gvt1.com udp
NL 172.217.132.167:443 r2.sn-5hne6nzy.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp

Files

memory/1488-0-0x0000000000FE0000-0x00000000014B3000-memory.dmp

memory/1488-1-0x0000000076F20000-0x0000000076F22000-memory.dmp

memory/1488-2-0x0000000000FE1000-0x000000000100F000-memory.dmp

memory/1488-3-0x0000000000FE0000-0x00000000014B3000-memory.dmp

memory/1488-5-0x0000000000FE0000-0x00000000014B3000-memory.dmp

memory/1488-10-0x0000000000FE0000-0x00000000014B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 a8963ee5ca072f13559f19a434575162
SHA1 5cf8ff672194be0b1cc4de3d199bb42f0fbcc944
SHA256 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6
SHA512 9476a7ba19be415888a513970eb55e86e1455246d614e5523972526721a6599a64eb68597a1ff699a939c20f1936157b38b7a12311e8b5cbdea450a71854f877

memory/1488-17-0x0000000000FE0000-0x00000000014B3000-memory.dmp

memory/2804-18-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/1488-16-0x0000000006F60000-0x0000000007433000-memory.dmp

memory/2804-19-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-20-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-22-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-23-0x0000000000FB0000-0x0000000001483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\8a527b58d9.exe

MD5 a9d08832d00dd0c9dc7f78f8d00fa67a
SHA1 b636ea5c2d14de4dd4139d0aae7240a9e1120456
SHA256 215d9ba94d29bc1a536420be578c066908b13e8fbefeadaede15b9ed72b562c1
SHA512 21fdef0123e1f048da2e7f25da6eff97712ebd16d789d7e8e4933ea0341f94d581ab04c227266998cbb9845b3af98dc1cfd4c9e6881d5229e493405a559aa08c

memory/572-38-0x00000000001F0000-0x0000000000320000-memory.dmp

memory/2728-40-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2728-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2728-42-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2728-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2728-50-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2728-54-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2728-53-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2728-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2728-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2728-56-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\d3efe039e9.exe

MD5 264c7b385f725f6d1ec540e66a34889e
SHA1 0d792dccf1d140874b6816d2764ae2dc7d041d5d
SHA256 6f8bb2f210e76d0fb8bd0995c574f59eb9f212126b44eda9763462acede9f1c1
SHA512 b48c9d003291d0373da6f7e57772c70790496accf22ba180837d4b32d0e6da38300088a239a23cfc2faa41bf4e39e65e341fe33c251385de93830b978df3fb90

memory/2836-71-0x00000000011C0000-0x00000000011F8000-memory.dmp

memory/1464-73-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1464-77-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1464-87-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1464-85-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1464-84-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1464-81-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1464-79-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1464-75-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\de9334a9ef.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2804-104-0x00000000067D0000-0x0000000006A13000-memory.dmp

memory/2392-106-0x0000000000EA0000-0x00000000010E3000-memory.dmp

memory/2804-105-0x00000000067D0000-0x0000000006A13000-memory.dmp

memory/2392-107-0x0000000000EA0000-0x00000000010E3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

MD5 3baa4c8bf40b39ac6b7a34f961a0381e
SHA1 49db31380820529db1535e0fdd1e257ffd72ceb1
SHA256 50896ba696dd99218741ec595db42828d13511fd9462a3c1181b7da62167c88a
SHA512 2b3e7449b65a7a781119d0a002ec675ccd2b215f1c469960d20251b37132fd07068d9d609b8d3ef28d1fe5709bc133ba501d55df8de648aa11311fc78210c5af

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\ce212d95-f81d-4b9d-9077-267f1200ab59

MD5 3f34ac28fbe906b34941ef15e7e8e2a1
SHA1 fd3e9994b74427f0e7b1bad2d18fee0c7c3a4915
SHA256 cc3bbb7b9a3e96dcc1f2796722336b41ee4c183dc575d47bdf46610bdcbd29d9
SHA512 998c0e9051debbea0ed087bd98764d3ca22cc2c7e7f906235da939372ecbb1ee5c0992a6e4c21da29f20c05360a4169b6ee55068a13e4daa3ef034662c261c5f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\0356ccce-ef11-48e4-892e-55b2415e8f8c

MD5 1fba29645e34c7ff3d36c2492f3a6771
SHA1 34757c20efb0473f2e1ce37f16ad81895be0d090
SHA256 b5a802986be0923e8f35b97473f343af36cf55ee23cabd1cd9722c67e632e2ff
SHA512 46c41bb59fda6c9999d01371587259373be1e8895daf22850c56cebfee7045ec0402c8f4a606284fb4956e3964be23f2fe81037b18bb15785255c96d35996957

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 3dc733f51b6c47c0e57ae7035b9abacf
SHA1 d4c28a6f9d4bae9e297440a46726a2cb3e2504ba
SHA256 aafa700fb884f14becaf86a0eb9df79dfa15885b2ebe11cabe5f48a3a5d9e0e1
SHA512 e02670f6fa626a21ad150e0e0e589ba9f1f7a1fb921dc28f4117dc0a30a337b9c9b165dd0a30da864fe4dbdf130372e846648792a0bcf5aad4e8d28118101067

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp

MD5 9313515d96b4946086fcd6b3d7520133
SHA1 d10bc923e87f12fdaee55a676e31b7977bff8b30
SHA256 24b1b1bad6bc42720df22de163af4560279e2fb11c944051b373c9c6d8302e2b
SHA512 b4839fcc033e75c2f290d9c3742361a434998fbbec369c5cac6e08eab8df860bc44c3c32afd37db355c7687045b003512dfd76c6883f1aec8ab102eb2928b16c

memory/2804-225-0x0000000000FB0000-0x0000000001483000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

MD5 c639e9b849f34fa098d320a2b88f2599
SHA1 4e3a4006d356d18feda819f163e68b2037c8949c
SHA256 1d6ec38f4a3c5097125bb2b47369bd99370c05fc5d3e7f25f4dffa97d781f24b
SHA512 d2118b145d66ccd2eb8d87d6512062252d2e15ac9701f57341fc640099c3c9352c4ef4bda88dc8bc5c60fcce7fb89cd85c2f43219e866d2389c3029ab58e9558

memory/2804-254-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-267-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-277-0x0000000000FB0000-0x0000000001483000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

MD5 2c9f91f1c800019d3bdaafd8a782a76d
SHA1 c7c4345c13e46117117467cecf71d9b96543ca59
SHA256 f17fc397b0c66cd2df5adbffe1d6b053faf89c0e191a3d7c2e131c8d55138b16
SHA512 d79818baaa75105c4eb12a68c8cd631ab7d1a235fd3530452e3483fd62e5ac6f1f13ee416ffc1b67cb7194190a5ac4b47b2760568126e65466ebdd7d7386eacc

memory/2804-286-0x0000000000FB0000-0x0000000001483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

MD5 68052b0ef5732bbea9a1fb1af0c313ac
SHA1 2dbd07e9763967fda34e79fe01a86f917820aabe
SHA256 d36f1770154151ed1d17c1ddedff52229090f9fbaad6666ff0cbab03559e26d8
SHA512 b9686c63428ca078523ad0e0874a663b8870e5c3b079a34c8aecf179a7e3aece85392a62b146e49fed55e7cb2199ae27c0d76e74707f357597c84bc3519fddf8

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/2804-359-0x0000000000FB0000-0x0000000001483000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

MD5 8d7c16e4f51d19eddc7a2bb7e23ec9f8
SHA1 67f22be5597f376b15d9168b94f5ddbd3ac31c0c
SHA256 ab8de1bd9e7302a8e02a566324f31340254e827bbf639d0e7d6b150b095e8428
SHA512 b3b14f4a6632bd758b736549ce70f75e7ad65eb2c0368610afc0ee8b35c1246003152b334683a42446de7415606f390034558cabc4f8061898bd7974e1c74592

memory/2804-365-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-367-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-378-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-381-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-382-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-383-0x00000000067D0000-0x0000000006A13000-memory.dmp

memory/2804-384-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-385-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-386-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-392-0x0000000000FB0000-0x0000000001483000-memory.dmp

memory/2804-393-0x0000000000FB0000-0x0000000001483000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 17:22

Reported

2024-08-12 17:25

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f25a552626.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\f25a552626.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4856 set thread context of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4024 set thread context of 1000 N/A C:\Users\Admin\1000037002\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\8a527b58d9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\c5203a22e9.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3404 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3404 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3404 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2764 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe
PID 2764 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe
PID 2764 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe
PID 4856 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2764 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8a527b58d9.exe
PID 2764 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8a527b58d9.exe
PID 2764 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8a527b58d9.exe
PID 4024 wrote to memory of 1000 N/A C:\Users\Admin\1000037002\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4024 wrote to memory of 1000 N/A C:\Users\Admin\1000037002\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4024 wrote to memory of 1000 N/A C:\Users\Admin\1000037002\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4024 wrote to memory of 1000 N/A C:\Users\Admin\1000037002\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4024 wrote to memory of 1000 N/A C:\Users\Admin\1000037002\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4024 wrote to memory of 1000 N/A C:\Users\Admin\1000037002\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4024 wrote to memory of 1000 N/A C:\Users\Admin\1000037002\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4024 wrote to memory of 1000 N/A C:\Users\Admin\1000037002\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4024 wrote to memory of 1000 N/A C:\Users\Admin\1000037002\8a527b58d9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2764 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c5203a22e9.exe
PID 2764 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c5203a22e9.exe
PID 2764 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\c5203a22e9.exe
PID 4124 wrote to memory of 2036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4124 wrote to memory of 2036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2036 wrote to memory of 1300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2036 wrote to memory of 1300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2036 wrote to memory of 1300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2036 wrote to memory of 1300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2036 wrote to memory of 1300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2036 wrote to memory of 1300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2036 wrote to memory of 1300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2036 wrote to memory of 1300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2036 wrote to memory of 1300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2036 wrote to memory of 1300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2036 wrote to memory of 1300 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1300 wrote to memory of 1836 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe

"C:\Users\Admin\AppData\Local\Temp\0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\8a527b58d9.exe

"C:\Users\Admin\1000037002\8a527b58d9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\c5203a22e9.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\c5203a22e9.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1a504ed-4322-47c5-a4b9-32d51c48d135} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5117ec61-1983-4ebc-adfd-dbbbf47bfb0f} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 2652 -prefMapHandle 3220 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94b44a48-42ee-48ed-9687-4ccfd1a728de} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -childID 2 -isForBrowser -prefsHandle 2664 -prefMapHandle 3048 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05d7761c-90a9-4b12-ac29-fe4e453d6a9e} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4528 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4440 -prefMapHandle 4508 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd06b048-fa90-4f04-af77-bb7c1cde6ab2} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 3 -isForBrowser -prefsHandle 5624 -prefMapHandle 5600 -prefsLen 27101 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ab52035-828c-46ad-9251-04cb305b7103} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 4 -isForBrowser -prefsHandle 5824 -prefMapHandle 5828 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81c8b9db-5dbd-4934-a345-2794ba14da27} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5956 -childID 5 -isForBrowser -prefsHandle 5572 -prefMapHandle 5664 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fd51052-ee43-454b-8b79-78dd67b2ef24} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5964 -childID 6 -isForBrowser -prefsHandle 6116 -prefMapHandle 6148 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96755ee1-41bc-4739-ab06-bbc2b0729b7c} 1300 "\\.\pipe\gecko-crash-server-pipe.1300" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
N/A 127.0.0.1:51379 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 161.99.165.35.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
N/A 127.0.0.1:51386 tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 38.132.217.172.in-addr.arpa udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3404-0-0x0000000000030000-0x0000000000503000-memory.dmp

memory/3404-1-0x0000000077A84000-0x0000000077A86000-memory.dmp

memory/3404-2-0x0000000000031000-0x000000000005F000-memory.dmp

memory/3404-3-0x0000000000030000-0x0000000000503000-memory.dmp

memory/3404-4-0x0000000000030000-0x0000000000503000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 a8963ee5ca072f13559f19a434575162
SHA1 5cf8ff672194be0b1cc4de3d199bb42f0fbcc944
SHA256 0fbed171385a9162e85409298f6df51542ecdcba7a93cf2b6285b8ff799e80d6
SHA512 9476a7ba19be415888a513970eb55e86e1455246d614e5523972526721a6599a64eb68597a1ff699a939c20f1936157b38b7a12311e8b5cbdea450a71854f877

memory/3404-16-0x0000000000030000-0x0000000000503000-memory.dmp

memory/2764-18-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-19-0x0000000000D11000-0x0000000000D3F000-memory.dmp

memory/2764-20-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-21-0x0000000000D10000-0x00000000011E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\f25a552626.exe

MD5 a9d08832d00dd0c9dc7f78f8d00fa67a
SHA1 b636ea5c2d14de4dd4139d0aae7240a9e1120456
SHA256 215d9ba94d29bc1a536420be578c066908b13e8fbefeadaede15b9ed72b562c1
SHA512 21fdef0123e1f048da2e7f25da6eff97712ebd16d789d7e8e4933ea0341f94d581ab04c227266998cbb9845b3af98dc1cfd4c9e6881d5229e493405a559aa08c

memory/4856-40-0x000000007369E000-0x000000007369F000-memory.dmp

memory/4856-41-0x00000000009C0000-0x0000000000AF0000-memory.dmp

memory/4124-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4124-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4124-45-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\8a527b58d9.exe

MD5 264c7b385f725f6d1ec540e66a34889e
SHA1 0d792dccf1d140874b6816d2764ae2dc7d041d5d
SHA256 6f8bb2f210e76d0fb8bd0995c574f59eb9f212126b44eda9763462acede9f1c1
SHA512 b48c9d003291d0373da6f7e57772c70790496accf22ba180837d4b32d0e6da38300088a239a23cfc2faa41bf4e39e65e341fe33c251385de93830b978df3fb90

memory/4024-66-0x0000000000740000-0x0000000000778000-memory.dmp

memory/1000-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1000-68-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\c5203a22e9.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4332-86-0x0000000000B30000-0x0000000000D73000-memory.dmp

memory/4332-87-0x0000000000B30000-0x0000000000D73000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 2bb0a632974dca4234590d915574964d
SHA1 5e900e9c8260403b0069f4cc55f726f3b4561134
SHA256 210aa29ed990890cd80ceaa3edabd82624478324604c14e934de4f09455f0f4b
SHA512 e416ebe4c3e793b9d893a3834ed9ece09b0b8ab56b9c00d749c516e503a95a0914b557aea030c912ef91b622234997a6706bdf3547a328157686fd191d82b7af

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\359d3209-6231-48b9-84d0-002f31b70b59

MD5 f3145f467ba2eb30ef2875caae8e86e3
SHA1 c27bed97837a85ecc57862052dfa3efb1be87d69
SHA256 ee2b990fa888a6ce59338095e1f37eeccb48b75d2cf5949882757261eff56363
SHA512 081c06cd11f55a7616bf9c051f97cf714600fca9fdbb2a4e415bfbdfe2a410d0d2a28885afd5b9f4b2b8df3d76534e33a1d2dd8b2b85b9f00a8f6392cc9e6552

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\c818f1aa-b65d-4975-a134-4b628da66bde

MD5 0d3ac175d4c3afcfa7279a1082a7cce3
SHA1 5a3f65877eb05254cb2d520132f78f86738e1404
SHA256 5feab3d9c7ba575d39ddb07e4aa0086d06b0aff88c3dd6e16a63cb43227c785f
SHA512 98777ccd3a44964b734334151cf11c18cc51f94eeb6dc84e0cd6454a6d07cf012311d3410547d182c4340f87d76c3d10b1df46dee82d41c7997f79b6fb9dab61

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\48732d46-59be-4b6b-817d-e5e1f7111015

MD5 9d5d73142d70aff9cf3edfe1cf42f0f1
SHA1 f0013f455b176e859f128438fab2f3cd1d798af2
SHA256 4160f35f62c6fcc8e01a69dafa506b434194a6cf97d96db8d0e5730a91faa1c1
SHA512 b1926d8004fc4f09aa0a941f289ac206ff3d7f548078239482fa9931bfd9609db305be7a5454b9a464ccd1466c9d62cef4eed41de59b0a577006b6177f1efc0a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 b68ce8ba5716147090175fe337a7f5f6
SHA1 dc12eea9fb2ca0c61a449cd891af0831b313cade
SHA256 ddba883b000c632032f28a7016f6cf70be72438c7d311fb3cc9580a18c628ca4
SHA512 685f9df89e2b0f8855089c902c5b734d7a9876170d2344048f42030a46f01b3b22aea852e810083094429e72597ddab070a8375cdd1bd4d6bbfd8375c26a0937

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

MD5 0a31e8c3ae22d6bb8cf8108d2a09ea20
SHA1 b3f5c1dbd0d4e06a32a4a60ef3e20cc64b4151e7
SHA256 4306cc81f86096e9370917ebe9e39281849fe5a31d05a79e9a2764ebb0c76bb4
SHA512 f63aafba9bf60185bf0b169a085c1f6e11f6ef56018f62dd15afd610fcbfc7befd0a5fed99acc9dcd9f7bb20d39f7b8f678bb27e1cbcdeb1fba11dedfd22b71a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 39dc66255dddf9391b7e9234ca7002df
SHA1 cf67fc15777535f01dd62351b03e2bc2e219eaf5
SHA256 28f34a58225a6d1fd10cd489b547662c521d266a1f261afa9f95b58a35c9c7c5
SHA512 19c389737fdfc525315342de62391251814dba9c02456eb9ff1aa0501eb62aca094bafad670bbfebad2918e4010a9664f0a5f5677cdcd6abe14c6e8273c183ff

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

MD5 c22ef92a43cb2be734948106e76b67fd
SHA1 adc14861c160fa01afd2dc755e7148c30ac17dff
SHA256 10d8272cee86f066300c868a891cda760ef6cbce40fdd95d87f8eb22ce9a7abb
SHA512 6212f335e105a4bc4d3e8dc1d1678fd2e1407b0bb95879a5de5098d0748908cb2d045af117435898a0ac130adbdb5e595d18f32e5b0f4318db47690c592d3258

memory/2764-434-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-450-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-459-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-460-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-461-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-466-0x0000000000D10000-0x00000000011E3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 35144abc5a53ab48445563a5d2262453
SHA1 d12597f786fb9a8648c4816f5de59f5fc9901ae0
SHA256 9111519729d7113b4dcddd99f37fe76f8cf2f54d5aff41a63fc7ca3f738cc4d4
SHA512 5a4a048d55f6b6544f06cf7c468b9334e82e25ecddbd621b69229a062772f0b1117045ce4ff83a3ba9e9a9af2bffa5ede808c87abd05297588347de73f870689

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

MD5 1fef23ed4c296132b601f8e823e3d5db
SHA1 5e00a5d946ac3f57567208835bb78540de72df72
SHA256 392224edb279582474baa2983edc8f0b3d9167fb18819e8a837f636b3c207c70
SHA512 01e0cbc83b60952c3fe5520a45e0c2da5b05bdf93fc772db981a28af6a7734596d5d8de6583054aabf26b86b4ede3f27c8b39afd5170a8f1201fd31637f8f5e6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 5edfc8cda8c59e949687f8ccfecc8b16
SHA1 1bbc27c8c0dc95da5edf779d2f85a46c2893f9da
SHA256 b01ce331ea7218ec5d36f15b5f783115db52cfede59c53d5c6f9a8cf6b8c3717
SHA512 a6ebe346eaeeb15c4904c4689c639d3a6ba8d9854ed7a07a5d2fe43c582a48cdefe32798d3b3ed1fdedf56b0e3fa7c6e9f16afd87229d22ba3412d159177ed38

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 a16ccdd91082486bc5be968c31021b2d
SHA1 674bd2230a4d1f3a5b9f5af8d6182bfdf7f9cf2c
SHA256 6dd284f12a267517ec92dd1405c0d4bf6faac5d2ff92781e23383885af75a684
SHA512 ffb782e68379e456b56e7d206504fc0ebe807000917d475b8ad6190ae967bc3f2f0939f02628b30ff52071143496cea48f2ba3c119c6c35ca917166b7abd637a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a8ad25ff1ccb1b1cddc62a509b069543
SHA1 2497b94ed16a3edf60551d8ddb587026762f41d3
SHA256 0c639858285a193e75c6201bfc453ceb29eb5aec5d569409932b6e34b180770a
SHA512 4d81661181c3575b355d997e05aba9c11869a508e5b933c0b6bc9f92158c1ea5d0240afcaf8579ea99debf3737eb7ef9a479ac9719a4c61b1fe3249890c3d359

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 7dc51df793760a38da7107c23ad1973b
SHA1 6fb7124f9b50fd6bcfba12436273c37ed3889c93
SHA256 0392ac25fd425ddb7e27de5f025feefa210e8eacaccd13f135f808dd5c9e4e77
SHA512 bfb692b341e1ab49241b92e1a9e48c30334e37e168c723b09101f14d0c8490e21178ad74595c0922cdb0d651af17b6e2c5bcee9136c5c321e5608e2f0e64805e

memory/2764-1134-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/3976-1135-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/3976-1152-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-2325-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-2642-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-2649-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-2650-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-2651-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/5796-2654-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-2653-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/5796-2655-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-2656-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-2657-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-2663-0x0000000000D10000-0x00000000011E3000-memory.dmp

memory/2764-2664-0x0000000000D10000-0x00000000011E3000-memory.dmp