Malware Analysis Report

2024-10-18 23:40

Sample ID 240813-bnebts1gqr
Target e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be
SHA256 e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be

Threat Level: Known bad

The file e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 01:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 01:17

Reported

2024-08-13 01:19

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e29accf2cd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e29accf2cd.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1068 set thread context of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 set thread context of 876 N/A C:\Users\Admin\1000037002\8f6e692d26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\f3eaefc4f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\8f6e692d26.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4004 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4004 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4004 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2144 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe
PID 2144 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe
PID 2144 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe
PID 1068 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1068 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1068 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1068 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1068 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1068 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1068 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1068 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1068 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1068 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2144 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8f6e692d26.exe
PID 2144 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8f6e692d26.exe
PID 2144 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\8f6e692d26.exe
PID 4704 wrote to memory of 876 N/A C:\Users\Admin\1000037002\8f6e692d26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 876 N/A C:\Users\Admin\1000037002\8f6e692d26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 876 N/A C:\Users\Admin\1000037002\8f6e692d26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 876 N/A C:\Users\Admin\1000037002\8f6e692d26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 876 N/A C:\Users\Admin\1000037002\8f6e692d26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 876 N/A C:\Users\Admin\1000037002\8f6e692d26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 876 N/A C:\Users\Admin\1000037002\8f6e692d26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 876 N/A C:\Users\Admin\1000037002\8f6e692d26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 876 N/A C:\Users\Admin\1000037002\8f6e692d26.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2144 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f3eaefc4f8.exe
PID 2144 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f3eaefc4f8.exe
PID 2144 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f3eaefc4f8.exe
PID 2168 wrote to memory of 2348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2168 wrote to memory of 2348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe

"C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\8f6e692d26.exe

"C:\Users\Admin\1000037002\8f6e692d26.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\f3eaefc4f8.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\f3eaefc4f8.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aa96de7-9758-4dcb-b604-3aa9e899bff7} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6936a5b3-5ac5-46dd-99e6-b2eeb5825b2a} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3336 -childID 1 -isForBrowser -prefsHandle 3348 -prefMapHandle 2972 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d616a724-9c29-4b2d-bd3e-d45bd0b53ce8} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3684 -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 2796 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50d25e87-02e2-4a62-9bb9-fed9e6621ede} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4860 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4856 -prefMapHandle 4852 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11573081-d2a0-4ef1-9be4-5abb8d72cc6a} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 3 -isForBrowser -prefsHandle 5492 -prefMapHandle 5484 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffbea39d-a416-4ccb-8e44-822ea39b28ab} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 4 -isForBrowser -prefsHandle 5652 -prefMapHandle 5656 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f9c40cc-bb74-4f9c-9715-76a6499acfc6} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 5 -isForBrowser -prefsHandle 5868 -prefMapHandle 5812 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33ac4c9a-e687-4698-a98d-a64aca18c5d1} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6296 -childID 6 -isForBrowser -prefsHandle 6408 -prefMapHandle 6416 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f007d4d7-fa4c-41be-8feb-134a8806c48b} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:50010 tcp
N/A 127.0.0.1:50018 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 205.86.155.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/4004-0-0x0000000000DD0000-0x0000000001291000-memory.dmp

memory/4004-1-0x0000000077984000-0x0000000077986000-memory.dmp

memory/4004-2-0x0000000000DD1000-0x0000000000DFF000-memory.dmp

memory/4004-3-0x0000000000DD0000-0x0000000001291000-memory.dmp

memory/4004-4-0x0000000000DD0000-0x0000000001291000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 d3d78e1c124fae22319920f6cd2519fd
SHA1 4dc7763f9097c4f88e5ea69c05f8d591c3ff4628
SHA256 e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be
SHA512 c1ac5b72b44720b75010aa09674f35bda28a49f0c09ffaeba46e2eb911bbc3ec5976aef957e896b60e43e186a6344f96a9fde8a66da31ed033c04cb8f077ef98

memory/2144-16-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/4004-18-0x0000000000DD0000-0x0000000001291000-memory.dmp

memory/2144-19-0x0000000000561000-0x000000000058F000-memory.dmp

memory/2144-20-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-21-0x0000000000560000-0x0000000000A21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\e29accf2cd.exe

MD5 5d0ffc867062f7deae37eede861b190d
SHA1 2fea2ad5abd61031c200b0d54c0534aaf216cdd3
SHA256 86aefa1f3bd48d3e58d04159ece977abaa54d0e1dd18eb50c1382a2838e3b793
SHA512 8367eceb7fcfa060d9df57277d45ce8a2e479530556ebccd76331c5ffa07107482a156edfea50656b83a58f39074c8ca4d88fbb403775fb0c6231180b77370c5

memory/1068-40-0x000000007359E000-0x000000007359F000-memory.dmp

memory/1068-41-0x0000000000120000-0x0000000000250000-memory.dmp

memory/2168-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2168-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2168-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\8f6e692d26.exe

MD5 bbe806cb79b33ffa22e8936f13aa6f2a
SHA1 130f60ce2aa9160eb3f56178e40153c9ff0ba04c
SHA256 8d2938ce81c0bdec367c5d8843d1c10d7ff99ff384342fbd832cdfdb301d733c
SHA512 264534078c13bef72a571dcea5f67172938f1b18655b16e3ef629c44fb0d14a77254c3714c08171ff63254beca78c1aea5dce69a5a6757e165cd1cf212568841

memory/4704-66-0x00000000006F0000-0x0000000000728000-memory.dmp

memory/876-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/876-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\f3eaefc4f8.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1776-86-0x00000000004E0000-0x0000000000723000-memory.dmp

memory/1776-87-0x00000000004E0000-0x0000000000723000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 ddf574ad9549f73cb804121c527ee72b
SHA1 b24beace4837acf061e27256e1d306dbd76607fc
SHA256 4d1a78a55d92ec51dae00a89bd03a588d66acb8c2199f9051c8586c43f386d13
SHA512 c982dc49f4de0c9df39dd3c9aa4e060c2434f04b8e29b0e300b487b079ca1d63dd13eef4a5f900cfec020e7e360680e9e6fcf74834215b9d04c4179a4d36ec08

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\23c2e944-b8e6-461f-8cc4-5d681d87a442

MD5 e743172b6872223b2801606bbfc66c9a
SHA1 9d43542235927d3c23c871d000fc56dfc2d73896
SHA256 213d8c03681f03669ff0a7b43c72050e88421eb5e2f40e5d01643d651e97a104
SHA512 f1b22eb739fa38953cd2ceaca8827a0cd0a75819f4009891ab38498b83020b898433f12675d30bac362077528a15177813f2835f2c7e65a69b4d76186d0d4406

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\5d641671-72f4-4f5a-9378-7ed38ec48faf

MD5 ba6322d93f80b0b99078bc308b02921e
SHA1 9873bb68dc7073190ebc3826a3db4c13e31faeec
SHA256 91871c62fc366fd91a77f0f4745f29d3af29e8bf988ed5dcd403ae1d827b730f
SHA512 5fdac708f6822a781ef0b735a812a337276911c5f15e409c519df0b34dcc9579d0117bef445d3d811e61b0879e700045d5c9a9db96a4af398407b8c9fd265044

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 597009566d776580cf5e5ebd7f973029
SHA1 aa237207864ab86989ce12fba43c30b210fcfcfd
SHA256 1a57729940b9bbca776c780e56fb78cb940c912524775945f1e2109c2d25f281
SHA512 8d6d63c00364a1f7215c652ca3d73b11e5f323a2966b969d635e8381b035958c0ef907c8bf3b09617faac778c46fd134c1ba7d41cbedf3a8b2f1f10b2af76424

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

MD5 966ff59951768497f635d058048e1cfa
SHA1 315c0bfcddd8f85a6ed30e157dcaa924f1f14ca3
SHA256 e51f100ba8934d8f15bf7664ac0bcec618c946fd7b17152bd27f26d93593be27
SHA512 0e245d4188b5e5306e75f589b5aab437e7604b33db4646ac5731691594f80d8fd69dd321f42b9dc07d4fa6582461cfe598f817459ef0f12cc36314a8c81b087b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 b23b6862b62d971b579ac1ad458f4112
SHA1 71a175aea62f829480c3ca9fb52eede6a111a7c2
SHA256 4931ba2e988bad6b8f9a52824c6a79aedc96e680d1b9ab421f7a500a8d31e91a
SHA512 bf77b3d71b044511eb76efa166c8150cb53a7dee025bfc5e6ca26936432e5ff1db26b414882ae63deda358838f388c24928109f658872ba2f22536764553d908

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 ce61c3db62292264cb34d418c0fafd08
SHA1 1e64456e1b9746b80183a3852d09de1641b9b54f
SHA256 509a600c4ed68c5aa582291421c775204a0cbcc0cec2a846ee5b51a1685b80ac
SHA512 ceb2045e0ac0131710832a3d85b2918d7a68e95fa2f124a3e47af5a0841e86bb8a0d02e6b415f5957d7b74aa2605a17b7edc4f0ce38a643607ad6a4c0b4df216

memory/2144-411-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-461-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-462-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-467-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-468-0x0000000000560000-0x0000000000A21000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 d0f14a54ccbd48afdb6a85d5e925c92a
SHA1 17127b7a5f5b4a580966ba83a904b39a42652225
SHA256 abbee1ba8398c47b7de2a7976e6fdd6a32912708457230ef0d1705156eb580fc
SHA512 6828acc4b30778802430aa4a099fd0ea3c75e8d091e5fff42f57a5098845112d407a1b0cac9ff2db8461b86b5975cef840b31923eaa68b4799d88b472893162e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

MD5 b5607caea914fd22b07b3ada7724b2ad
SHA1 99d1e205c1c6635d58a2eba6a3c9c6407fb3d6f0
SHA256 4355cdca87e8f37cd09e955c90f3e62ddabea58549c77eba31297993a97ec88f
SHA512 42adff817e63e73b67618ad81a2dcba3cadc9bdb92af0c0b3bc3b1a06b473e68654309cb3eb43959d0ee5add408f2cdd0fe1d767e6a64be63ef37ff4ce199530

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 33eef8b126ef2e1f61dbc2b3818a4c44
SHA1 e5fda03938f812192d6711b54231eb1a912d2f0e
SHA256 f10894aa03db266da5d20c3e4778cb8c1f4d2e72ca2cdd3971ea7a92dc9b763c
SHA512 3efaf735c903c8aa663b010829b13f561c2af3e41529dc83e35f8e91a07d968a398623f3d5bb2c1d7390445765ed870a18986816d9fdd5f6146c9dd5b098d059

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 82dd94f3ad85ea352a85694b64305797
SHA1 088a8ea7aadb2ea5b69c98ca0eef14c5e554a857
SHA256 ebf2a0a7a1c28d75e6da7d609f1561de3bd412bee029871fe0f8b03983daf552
SHA512 896abf37f4c43132d86356d9eea2630a51a889adba67f1ade4625c3dba932f9e31d2d482e21c3ca6b6c8dba789f5c6f0532d5be2ecbbe11b308eb6584c780902

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 97fee50395e793d1395391596f6ae518
SHA1 e32a9386624634689eb0dabf6bc547e20eb77933
SHA256 3aff9ccea4d38404fef73a573cf93911e5915ac60fe857a74956f088edfce530
SHA512 9431dcdf6b6262a418143dc2dfebe559c4eb1f3ea5774e96ebf3a92d2db97d7c3c05baf20edddab96cfbb07f6869a889dc050dff87fe453b5d21735538db58b2

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 28550e3a73aae45347e4da4652336a47
SHA1 9692bfdd06d4cab97ae39da997e32eaadf456649
SHA256 c80989b6ea325ddb0821a1ee4a6f949b2243f67c89b87db5b2b73e328c00bbf0
SHA512 7a27899f189642f2e0102695eb13018521a39596b5f96cb5d9c9fc98677160028cb3874ca8114b399c2df94580ac77e714ec28f02ce320a3c398bddeb2103d2b

memory/2144-981-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2088-1495-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2088-1546-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-1732-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-2274-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-2722-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-2728-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-2729-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-2730-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/6136-2732-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/6136-2733-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-2734-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-2735-0x0000000000560000-0x0000000000A21000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 4588c452ab8b826fd1f8b9a544c28cb0
SHA1 c45c1c2e7251ea0299e798a40e42855f02120c22
SHA256 e7313d771aeb56b2d6ddee727a12bb2225589bd298a506de1843165ead96d84f
SHA512 52e5c3928025bd9138bbaaa76ac605b1673b88bcba7807a099a221036f0baf5b2041f29036199ef4eb9a184d8d27568dc014a0f0056217b50d9d13d78e3f52fd

memory/2144-2744-0x0000000000560000-0x0000000000A21000-memory.dmp

memory/2144-2746-0x0000000000560000-0x0000000000A21000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 01:17

Reported

2024-08-13 01:19

Platform

win11-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\8a3825124e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\8a3825124e.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 820 set thread context of 132 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1544 set thread context of 3292 N/A C:\Users\Admin\1000037002\f3eaefc4f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\f3eaefc4f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\942e9218a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3696 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3696 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3696 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4116 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe
PID 4116 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe
PID 4116 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe
PID 820 wrote to memory of 132 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 820 wrote to memory of 132 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 820 wrote to memory of 132 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 820 wrote to memory of 132 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 820 wrote to memory of 132 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 820 wrote to memory of 132 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 820 wrote to memory of 132 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 820 wrote to memory of 132 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 820 wrote to memory of 132 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 820 wrote to memory of 132 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4116 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f3eaefc4f8.exe
PID 4116 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f3eaefc4f8.exe
PID 4116 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\f3eaefc4f8.exe
PID 1544 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\f3eaefc4f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1544 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\f3eaefc4f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1544 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\f3eaefc4f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1544 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\f3eaefc4f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1544 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\f3eaefc4f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1544 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\f3eaefc4f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1544 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\f3eaefc4f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1544 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\f3eaefc4f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1544 wrote to memory of 3292 N/A C:\Users\Admin\1000037002\f3eaefc4f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4116 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\942e9218a2.exe
PID 4116 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\942e9218a2.exe
PID 4116 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\942e9218a2.exe
PID 132 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 132 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2852 wrote to memory of 4468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2852 wrote to memory of 4468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2852 wrote to memory of 4468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2852 wrote to memory of 4468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2852 wrote to memory of 4468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2852 wrote to memory of 4468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2852 wrote to memory of 4468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2852 wrote to memory of 4468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2852 wrote to memory of 4468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2852 wrote to memory of 4468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2852 wrote to memory of 4468 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4468 wrote to memory of 5008 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe

"C:\Users\Admin\AppData\Local\Temp\e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\f3eaefc4f8.exe

"C:\Users\Admin\1000037002\f3eaefc4f8.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\942e9218a2.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\942e9218a2.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc4da207-5b60-4b8c-960a-62a36885bd0f} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e17d7382-0f05-4cd5-8836-c3f0ed8d2d0d} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3492 -childID 1 -isForBrowser -prefsHandle 3212 -prefMapHandle 3352 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a62eb83-6d51-4ab6-b9f4-404f010f8e5e} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2724 -childID 2 -isForBrowser -prefsHandle 3012 -prefMapHandle 3576 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2713f370-a174-4316-b8ba-84566ad2081c} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4696 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4708 -prefMapHandle 4492 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8c3d8b1-904d-441b-a606-4c6b84b212f5} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 3 -isForBrowser -prefsHandle 5484 -prefMapHandle 4504 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {747517b2-de06-4e7e-a90a-1dd16d398553} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5812 -childID 4 -isForBrowser -prefsHandle 5860 -prefMapHandle 5856 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdfa73ec-74f8-494b-90a6-0faeb2f221c6} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6072 -childID 5 -isForBrowser -prefsHandle 5988 -prefMapHandle 5992 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5a73493-c9dd-4031-a2bb-c35f79447700} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6180 -childID 6 -isForBrowser -prefsHandle 6188 -prefMapHandle 6192 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08293983-4eeb-4b10-9a6f-f9ced65f0d40} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49875 tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com udp
N/A 127.0.0.1:49883 tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com tcp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
RU 185.215.113.19:80 185.215.113.19 tcp

Files

memory/3696-0-0x0000000000490000-0x0000000000951000-memory.dmp

memory/3696-1-0x0000000077296000-0x0000000077298000-memory.dmp

memory/3696-2-0x0000000000491000-0x00000000004BF000-memory.dmp

memory/3696-3-0x0000000000490000-0x0000000000951000-memory.dmp

memory/3696-5-0x0000000000490000-0x0000000000951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 d3d78e1c124fae22319920f6cd2519fd
SHA1 4dc7763f9097c4f88e5ea69c05f8d591c3ff4628
SHA256 e2009d4ba870727729dfb0a3640923948cb5bddefa41902a9ea98879aaf384be
SHA512 c1ac5b72b44720b75010aa09674f35bda28a49f0c09ffaeba46e2eb911bbc3ec5976aef957e896b60e43e186a6344f96a9fde8a66da31ed033c04cb8f077ef98

memory/3696-17-0x0000000000490000-0x0000000000951000-memory.dmp

memory/4116-18-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/4116-19-0x00000000009A1000-0x00000000009CF000-memory.dmp

memory/4116-20-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/4116-21-0x00000000009A0000-0x0000000000E61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\8a3825124e.exe

MD5 5d0ffc867062f7deae37eede861b190d
SHA1 2fea2ad5abd61031c200b0d54c0534aaf216cdd3
SHA256 86aefa1f3bd48d3e58d04159ece977abaa54d0e1dd18eb50c1382a2838e3b793
SHA512 8367eceb7fcfa060d9df57277d45ce8a2e479530556ebccd76331c5ffa07107482a156edfea50656b83a58f39074c8ca4d88fbb403775fb0c6231180b77370c5

memory/820-40-0x0000000072C5E000-0x0000000072C5F000-memory.dmp

memory/820-41-0x0000000000170000-0x00000000002A0000-memory.dmp

memory/132-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/132-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/132-43-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\f3eaefc4f8.exe

MD5 bbe806cb79b33ffa22e8936f13aa6f2a
SHA1 130f60ce2aa9160eb3f56178e40153c9ff0ba04c
SHA256 8d2938ce81c0bdec367c5d8843d1c10d7ff99ff384342fbd832cdfdb301d733c
SHA512 264534078c13bef72a571dcea5f67172938f1b18655b16e3ef629c44fb0d14a77254c3714c08171ff63254beca78c1aea5dce69a5a6757e165cd1cf212568841

memory/1544-66-0x0000000000840000-0x0000000000878000-memory.dmp

memory/3292-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3292-68-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\942e9218a2.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1572-86-0x00000000009D0000-0x0000000000C13000-memory.dmp

memory/1572-87-0x00000000009D0000-0x0000000000C13000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\df8eaa53-47f8-4a13-8fb8-973fe1de6d7d

MD5 74b84790335312776e11e7a526d292cc
SHA1 ba527e75bfde083044ba89be9084e598f5f09b81
SHA256 8146bdc512ffa98709db47326ea844c67f09ddd36b32e694cbf4c83cbedd4189
SHA512 bce44f7c5ed829b6e5bad5eeee58b6270e654dfa8b5e94194fc78aeb209996ea5ecc75f310fd0b32497d4c8e39c9978c603b8369db516f868f095fef7c58bfa5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\d6f48094-1f97-4b56-9c44-a3516470d6e2

MD5 d880fefda0ba2cb8f8544c5a2a564d25
SHA1 1fb93c07a504de1b4851aa4f206e41e8e8540bb7
SHA256 bf9c30d4934e6c09e7e3ea9cf55530bf6190425161e45caac26cef9a5e659aaa
SHA512 6cf10097ea3b824f98eee617ade186a68ba70942004754054462e71873705c7383a59798e77291079dac584de6702db8db7a92da241cf4076189061d96c388f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 c906deac29733e62048eff4c079e88a5
SHA1 6af4e4f5e38e82dfda8150f1ed3fea2fcb1c9710
SHA256 2a8d5844302f8d61b6861e3233cac0191708cedf08649d4efc72bb570666cea6
SHA512 d9e614adc402218721092593d25700696d1363651a15a30b4681ab7d7ad64551b2f0912462489b540af00381ab80d505691a3e7e13d9d4583b8d21ef8278da07

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

MD5 07b0d444f954dcc025a51e4eaf454c1d
SHA1 049c877d465aab92618209aa753bc026454c9e4c
SHA256 f5bd1d2566666243f87133e37a78e7927067e1aca50c8f7bd7553e15668eda6a
SHA512 ed882c219e3b9e57f5d72dd41d551fb24d641f430dea2adc05139d80d2ac493926a81b9b43c3891e211e5cfe1b2c93465e87c475a299975506377ee0370a9793

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\activity-stream.discovery_stream.json

MD5 2ad12b2f5aac3a6644408518ebeb21e2
SHA1 339c0e562dda8e9be59aa0fbf70f5fb13ed35794
SHA256 1c2d60100055e706948458ed2b7dc358e1d79b2c3945e0f6f46f39988923c5be
SHA512 0789c5b412b28286750e7eb9d31e9b370c40f98ead1fec4d1cc26a783c465c717f5fe25f496b09e3f8f790b06c14bf1535f58c3dc9e19259742f943f075c5334

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 278646e175d9c62c21a533f716e05478
SHA1 ea451c80ed153db779f45de10733ab345f7d6efd
SHA256 e2b70ff6786f8a8ac0f5e9fe65a54fb332b41414dbe74960dbdf73db716bb94a
SHA512 b57e0bdc4bbd0c669ea969d9c69cc033163303c451b808238b583d87c456963ad86f512e0dbf14efec3822af60d08e512e81cbad7410a18496a48f19746b7b1a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

MD5 42a8b63b2eefc0ba9b1bb7b7d10c9140
SHA1 e117b7c72b83baba5e721ab4a879b0dbff0c6073
SHA256 1be036483a09cfcaf5f6e7f8f81096b5e10e7cbd991dde0c32b4064c4874e2fa
SHA512 96de5853abbe94c5f26b13445425f35624a668ec4664646d332a9979b0f456e18c7347ec69a2a56a2be766dac762cf242ebf4bb0c9a859dc7e5049d360f8b7c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

MD5 e56175bc005df6df5796f8e8d9b789e1
SHA1 4555ed14d9ef530cf0b71cb8a8085b46b5e8e312
SHA256 206979481461b930d46675200687403a8f5279883187af6c21c0e771ccd0b3d0
SHA512 761aa3cda16d4b1ab4be0e3d8851f9d2b441bfd60147cd81dbec1e2e82865ba974ba542e9eb1b99ffc8c86e6772f578441c067560ccdd91754774868c73c300b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs.js

MD5 25a87fc271e59b233bc57a0186d42a1a
SHA1 3365b48aeba3719582eacc777675db93c7e566b8
SHA256 6e48a3b8a979e66f3a7e9ad1c35e9b53c373c01fd223deaa549a891cec37f25f
SHA512 280ecda138ea99b3a61d32d75285136921912e449fc84c6bcfa79f5f3e661b4dc3d68b9a53018ee9904b2b487c8d8519995ecb4c7823cbf8834b456b29e303ab

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

MD5 a8f8c51a86e49d08e1dccd58c23eadcc
SHA1 bf4b24ba5064b883ca3cf5d4e0eb6419e1e7be77
SHA256 46b4d8fe818efc4a2902f25f13362f74f3c9487dbbfb6e8a0f195425dbc3e32a
SHA512 a548c953d4debc1d2c4b79d0da2bda6676bdfac929def7e563dfd67530f1699edcb63ad866422d313d7fb8d7d28b985e3d5b5ca91d9b46d2e980208f9e32041e

memory/4116-412-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/4116-419-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/4116-428-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/4116-431-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/4116-432-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/4116-433-0x00000000009A0000-0x0000000000E61000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 077e4c901fe3984f7cfb9d35539b2841
SHA1 4e21cbd01be9eb7506444d9657b29a3013a623c7
SHA256 f0022c5a2f68fa293f583ab5b854e715352fa399118d726cf01b2408b44f7ecd
SHA512 6abe83754f8983e3664e5bc4c141620b9021372b2a943d6370be08df15bec4bbae6dfff6a5bf2e99874c956d2dc602448b76c83f90f8c967b44b09373a702c2c

memory/4116-460-0x00000000009A0000-0x0000000000E61000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 1c0c09c92a94aa8cfdbf06397f8e9f24
SHA1 f9b1dc3c548d05f5138ea8f8d75479edecae6ff4
SHA256 95e00fb40d697cd62bc58b7820180b216786a72b033a5b1a696b120c9b7c74ab
SHA512 9fd0781624705925531a6fdfe37af15728081e6906cd8668edc6962723512b1f0ae9a745f6b3ea3b728798b61a9e12a290919c6dd6ac7e7164f1f3925b74e1be

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

MD5 48d544c47b971fe715f1f13cd2d2b208
SHA1 260baa15ac31e71a2b7347dcd466facc7adeb6e9
SHA256 211d7a47f472b402c19cf5ad99d1925989f20a22be11bc8863cee9d69c037fb4
SHA512 47ee4db694097686911dbdee5aa323ba51b710bff57cd43aa7c1a8c75380a6f195c4f7128dd8eed25bb33fd2ce4f8fd558d5ecdb8dd56e31c8203218d73546a3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 aaa94c2ca484c4519367b35dc288259f
SHA1 b7a5318441826ed9f457304e919c81a059047a07
SHA256 0c091f5e5d1b624a449f3cc0171544b54269f357dc24ebee0c09ddabcfd191cc
SHA512 a60f430684453a94a8ed445556d3be4a62bf77aec5422131f5397f735fa4163f13467519973305e5b303ef60713140a9e2f62048760a3becd5ae2fbe6142cdad

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

MD5 581db68b692a064fb2afbfb7132b0115
SHA1 62e0da11a5a0a50527c95fbc6da07fcbe80d6391
SHA256 9a3e99b56a0dba3286523727ad6b3013cd0c3e821efa87e87dc7b78f5f02a33c
SHA512 70c5711d6ede3a393b78a9361a99f86fb54d00843e7b444cdbb2a46b0eb1441465b5d383181fdbf5f013851f3a118fa466685f2ea94141a956c6805e7cfa34ba

memory/4116-1640-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/3948-2452-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/3948-2553-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/4116-2752-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/4116-2753-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/4116-2759-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/4116-2761-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/4116-2762-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/5160-2764-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/5160-2765-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/5160-2766-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/5160-2772-0x00000000009A0000-0x0000000000E61000-memory.dmp

memory/5160-2773-0x00000000009A0000-0x0000000000E61000-memory.dmp