Malware Analysis Report

2024-10-18 23:42

Sample ID 240813-l35sfasbqm
Target e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765
SHA256 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765

Threat Level: Known bad

The file e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 10:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 10:04

Reported

2024-08-13 10:07

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a61151bbb9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\a61151bbb9.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2932 set thread context of 3992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 set thread context of 5048 N/A C:\Users\Admin\1000037002\39022e5fcd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\39022e5fcd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\4fb177122a.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4996 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4996 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3068 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe
PID 3068 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe
PID 3068 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe
PID 2932 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2932 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2932 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2932 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2932 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2932 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2932 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2932 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2932 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2932 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3068 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\39022e5fcd.exe
PID 3068 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\39022e5fcd.exe
PID 3068 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\39022e5fcd.exe
PID 1724 wrote to memory of 5048 N/A C:\Users\Admin\1000037002\39022e5fcd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 5048 N/A C:\Users\Admin\1000037002\39022e5fcd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 5048 N/A C:\Users\Admin\1000037002\39022e5fcd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 5048 N/A C:\Users\Admin\1000037002\39022e5fcd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 5048 N/A C:\Users\Admin\1000037002\39022e5fcd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 5048 N/A C:\Users\Admin\1000037002\39022e5fcd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 5048 N/A C:\Users\Admin\1000037002\39022e5fcd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 5048 N/A C:\Users\Admin\1000037002\39022e5fcd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1724 wrote to memory of 5048 N/A C:\Users\Admin\1000037002\39022e5fcd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3068 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4fb177122a.exe
PID 3068 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4fb177122a.exe
PID 3068 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4fb177122a.exe
PID 3992 wrote to memory of 4380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3992 wrote to memory of 4380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4380 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4380 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4380 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4380 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4380 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4380 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4380 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4380 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4380 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4380 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4380 wrote to memory of 3524 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3524 wrote to memory of 3012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe

"C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\39022e5fcd.exe

"C:\Users\Admin\1000037002\39022e5fcd.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\4fb177122a.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\4fb177122a.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53b10569-353e-443b-8d87-fe8beda409b3} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {908b47df-111f-45bc-bbdb-4fd8b4799bcb} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 1 -isForBrowser -prefsHandle 2832 -prefMapHandle 3048 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8e0b43d-74fb-42a2-bece-4180b7edac8b} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3692 -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3460065d-4b5b-4d7b-a670-13d35a59dcaf} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4556 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4548 -prefMapHandle 4544 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edce8c0d-d719-4f4e-ab48-dc4ea405a7ca} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 3 -isForBrowser -prefsHandle 5412 -prefMapHandle 5340 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed66ce30-4785-4c86-b17c-de13de5a3038} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f1a4c70-08d2-48ec-a207-2fe773fc1f1f} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 5 -isForBrowser -prefsHandle 5792 -prefMapHandle 5800 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebf58567-3e44-4b33-9159-5c8f61986fdb} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6332 -childID 6 -isForBrowser -prefsHandle 6320 -prefMapHandle 6328 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a432dbe5-8439-4bf3-8396-482cbe72e8c9} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
N/A 127.0.0.1:50422 tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 161.99.165.35.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
N/A 127.0.0.1:50430 tcp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4996-0-0x0000000000980000-0x0000000000E3E000-memory.dmp

memory/4996-1-0x0000000077664000-0x0000000077666000-memory.dmp

memory/4996-3-0x0000000000980000-0x0000000000E3E000-memory.dmp

memory/4996-2-0x0000000000981000-0x00000000009AF000-memory.dmp

memory/4996-4-0x0000000000980000-0x0000000000E3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 ba37a189ab35239217ccdd4f4766c71c
SHA1 3c0026b03213b6aa832f7e6221f1ebc601066898
SHA256 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765
SHA512 03940a1b0310e5a37931e531f4c65a53c9adab784c527e50065f5e22f10687d8f0f260a1c51453e4ffe780205c4bdd8603cac3a72bc461acb3c8ab6a20bee474

memory/3068-18-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/4996-17-0x0000000000980000-0x0000000000E3E000-memory.dmp

memory/3068-20-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/3068-19-0x00000000004A1000-0x00000000004CF000-memory.dmp

memory/3068-21-0x00000000004A0000-0x000000000095E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe

MD5 7df65683dbced3f7291eb39076e2e5e8
SHA1 71713f2fe64b7750c91bb5cf5f430bc4cd98fe1b
SHA256 04b82fddffd0735b575f82f9ae450409fe93496a86dfc5eef2f93e22e5f3be0d
SHA512 179aa98c467a961acac274b6f0a2e8f907304a82dabd53019de273255942e90debeb1948f1e293476a922391f17b695ca8ff2620320db3d61ecf19a3cc650c36

memory/3068-40-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/2932-41-0x000000007327E000-0x000000007327F000-memory.dmp

memory/2932-42-0x0000000000470000-0x00000000005A0000-memory.dmp

memory/3992-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3992-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3992-48-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\39022e5fcd.exe

MD5 cb4e84cce0305faa0a43117b20174638
SHA1 5e0b5ea5e872486aaaaa28379ea08611f4a93a91
SHA256 5d3fbab87e5beaff194ad29e919aff1306fd5be2eb1beefaac069ffd5472e537
SHA512 a8be13a3d14c11f91b3d7feb7b5fc05aea026e00c1df8d01aef30e27da6441bb3734c406ffcd235fff7c4113b0bfe251cb7aec2620864d6689f6b2b8a37ce42e

memory/1724-67-0x0000000000090000-0x00000000000C8000-memory.dmp

memory/5048-69-0x0000000000400000-0x0000000000643000-memory.dmp

memory/5048-71-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\4fb177122a.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2312-87-0x0000000000EB0000-0x00000000010F3000-memory.dmp

memory/2312-92-0x0000000000EB0000-0x00000000010F3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\d33dadb7-eee4-4a0e-9b30-ded8a0786280

MD5 bcba3ed7218d18accf30e1b4d683d17c
SHA1 57e06de39a3ae6a1cafe6bcc57448342dc849d8d
SHA256 c51a604647e7f4b0a289d785d8effabcb76102bf699eb906ed3fc3ad7d553501
SHA512 b6624dbce10633face38c5380a077a5c94440410ff006cf3637fcc59e1f8597aac8cfb962a548bbb147823dd6827900f2793188e33b4d10be459e8fcad8e9847

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\0975f2bb-3992-43dd-9be8-7306509d3b57

MD5 691e600950a67cd09ca7e96769794314
SHA1 ae91aa4cbe428e600c3be8318cf2650b93aa7276
SHA256 858412a26fa0d4a5a6945d900bb140051361f4e7aa9893467b85fa0bb1c8bc5e
SHA512 b8f7f8652753ff36ef7552f6f9706b18c8f7ae19ef91d6048b27511c9e31e091bb7f13537c93f8501254ea5e4d8197d8e9fa2deff669ae9a8aff87dce72a9da4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\6a1d8bf8-3a07-4757-a19f-f3133c94eae1

MD5 495e1dbbee1a08edd6b6b103954d7235
SHA1 c2dfa11ba59530d363d604e84833160af6fe6c72
SHA256 cd91f9bde596138f4e0890514ae9378f13e80910881007f1a44a9b73caaec039
SHA512 da4bea8b0fb782b760858125c6472b5fbb06cd87feaecccca6adeea3939c4cf7e8a4bfc6f638e9506e747cf4faa1a7ef67e48a62e52e7b63b2838bcebe37de91

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 3d5fb85e9d4c1946b6d6f5f61431571b
SHA1 01cfc43c86ff3cb704ede782e79d36c0cda99fd9
SHA256 93595e306df6e6ed23f5793b4a9bfa7e42bc335b73525548b02cbe15ab975b08
SHA512 4f9a0d37a7922ffddd190c9e4c25e1c510edb3c0de319458cc393ba5d7248a64006fb3e9bf1e822743e50a0a813ead2b8ad6da05047b3cbb8d569d892270b520

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 1f079efc979e7873660a3955f6920818
SHA1 87553de4b660fb664cb5d0e2ef18567b52ea7a29
SHA256 1ebfa38b9d69898160b9f0c9e0ef9b853262306e02960f6e1599e173c9db486b
SHA512 855480f1b79a48fd7c7a2fbc6eb1e0bb4a34baee66fcfdc16e981c12fcbd66dd7bd75c2d4b710cf217cf7094ed29ba0276115eb7644d1fdc7705b4513e944b26

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 4b66a15bcf04bd4b53911cb21356faeb
SHA1 f74455fb4ccb7a36391fe0310b0af859a0bec7ea
SHA256 822a7fe2f1f753cac8625c2b52fd5009f0ca8277d94989434d47228031dac4b1
SHA512 e81da112bd8962da18e925ff16c1d3585481f221d70707756c7b67432dd47790a26dc76879aff2ac4e8863a494a6677a0ed4eea03d991486d36afb4ffe81396d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

MD5 1fa65a1cc2307a0f7eccd6c35f1a112e
SHA1 6d2a61347d1416c34c55ce34b36f8e0cfb531633
SHA256 1f232843ac6cb7e7fdc16ae77a610a22e30a52a8743a59056d5dea33a0ed3256
SHA512 47be80f600de784bd9cc755d9fb65c7c5efdb92826ea54db85b206a45e9a2bd8e47e4540b6317773a55421d6c10e81b8e608805eb8c1101c8ad68f8c2217fc26

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 f588ebec450e1781afabfb79ce95d573
SHA1 2a87b2945454615ad2a04c1492a82785cdb43626
SHA256 f1c7e962ebcac90f9b61aa0e303cd5ad18b403185ef08d98835991165b7a1f7b
SHA512 2484f9c227aaf51bb734f13f9b9de1c780940208722a167e653dedae302153ef5e79ea5a687ed0230b85eb443ab15e6474f6d39468a628541d5bab842c179e9e

memory/3068-428-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/3068-439-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/3068-440-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/5740-452-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/5740-454-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/3068-455-0x00000000004A0000-0x000000000095E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 767d6625fad78399d2d3088e674dd4ae
SHA1 db46e7db47c46e619d5bf3ddd835d06b5c36b055
SHA256 0ad73a4bd2071c0c1c17ec1b50d4220a80383a74312f4f84f8343bbee624757d
SHA512 023dada7e59cc2d1b34126bac8d6b2c7c5734c2b9d0f5fe8a5cef7bf9606d620fabacea0bfdcacffc15ee188d84f7408118ecd7cdd005dcb7fab4254a9757e05

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 1c21ecf24d173b3776d01039dcf6889f
SHA1 b7e95db3e860d1eac8f8dcab9b2ac24ab118fd84
SHA256 e024589ce99fcc550b4ac9b5963e348c764e695654e74a3dd5bdf18d4c127592
SHA512 4c672a3dcd09d3dfaa2d0d7258fb5d9c27cd4b0e2752b49902afd2852477f9019bf7c62d0bab3d267d6cd7655edae15596431a3bd7b7896df422932797deb0ec

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 08dba28ffe764e378bc2ee63af7f5d03
SHA1 e33b5bc1362f23dacbecfbe8d66a458204ec0ed7
SHA256 91d56b6c8c9b691e0c78a363f2284ab1da0783d36832a79bf047dd2d78262740
SHA512 344cdb90f24c4dc67f28d5ca3495e8e3c9043b1011453d3633a17741241ef32cee8e61f93c029d50f7301fc63c59b995866f63f7b46c4398ac2dd6eb7623e337

memory/3068-554-0x00000000004A0000-0x000000000095E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 827edb85f6311531bd92c0759f6066bc
SHA1 1cb38a8ee563d3f06252e0b9a480b6778c2a1bfe
SHA256 43478d65fa92be3b59ad5567fb1f2a6ea23a7b9893a0174a1b18877ea0c24193
SHA512 46f419ecd2411a7cc2108849a95a9bd46ef4471d6815985d0562da597119f1b6983b02504af6636e5f5f8a9b552eb9a09fe68b74903cdc789f0723e4556a9afc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 8fccdd8ff8893fab6babbde2100eab7b
SHA1 f21b47491d557a2e518728d57e8c42c3014abff4
SHA256 b378650c9a01154724784a19fb2b93985b78f8c67a8a8f16b2a2ab4b2182cba4
SHA512 70ff740a42049b70daaedf94a07b7d6670b5acd9e360db4d411849f94a91a17a4cda8aa06bece87661415c533bf796093c13779704fab666f9d48e1741f51a28

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 264967061c6c639beb3fec862bd9be1e
SHA1 088db4bcd9a9fbf016cfabc6dc14c1a78778632e
SHA256 65a0a5d5b7af203c4291fff3b0bfd0571fa61d032e8b0c54d99d98885da65e7f
SHA512 f7a1af2707be785b2aad777cd45cfe4a87f7031eaf3ff1bae4b99f56ab54a684abcd72c6979c6aa8b0a31e6e2c2c3410dea99e2dd15c75221a52076afda81c47

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 f0283c776137921f82be493579ac72a7
SHA1 42cd0b34b602ff578ac3214d78c76eb09d38533a
SHA256 537b35b9a349404157d1c1c8af9506b9a284ace3cb4abf009ddb06f989c9655d
SHA512 9618ea7b6531199958a225f93f3e5850b982ddd7dbfc6a090f9467e224a1c9b6a8813b3cefc4a6b142768970937794e38c7976e657ee2e526851af349fec63ed

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 a3f64e29073f0f63eeb818bf92a37f9d
SHA1 b87013fe5e41696305b829ede21a7d91653c8b05
SHA256 ecaf58bdd02a287c76318e6e509dd488badba87d966304e8a860bc6d42567d12
SHA512 49af20f0d42abbaa7056aee19ce7eaf2630bd84d40a400af1f4ab2b2f52f867f01fc8d1253906833fbdfe3f86c042962396e9e9500c727b36ce38c140aa245e8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4

MD5 2b1dc1dfc2f0420f202cee8165eb2ca4
SHA1 fcdbfc3d4ecbe8da3c3a7bc57091446181ca6073
SHA256 4fab050fad87571cae0d4487fc7ca199988f844c81a4c03eeab46e9c98295e71
SHA512 ece6cc42a22a97722685bb90ccc138f1c007872a5e4de739412643d8cf689772074fdb733a45606c2f6af98ea18dfcd1aca0799058f51a065af676f12300812c

memory/3068-917-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/3068-1207-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/3068-1841-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/3068-2598-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/2888-2779-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/2888-2780-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/3068-2781-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/3068-2784-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/3068-2785-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/3068-2786-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/3068-2787-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/3068-2793-0x00000000004A0000-0x000000000095E000-memory.dmp

memory/1776-2795-0x00000000004A0000-0x000000000095E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 10:04

Reported

2024-08-13 10:07

Platform

win11-20240802-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\a61151bbb9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\a61151bbb9.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1624 set thread context of 4072 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 set thread context of 3280 N/A C:\Users\Admin\1000037002\1bf64a96e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\1bf64a96e4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\66ed5fb3ce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2424 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2424 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5048 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe
PID 5048 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe
PID 5048 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe
PID 1624 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1624 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5048 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\1bf64a96e4.exe
PID 5048 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\1bf64a96e4.exe
PID 5048 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\1bf64a96e4.exe
PID 868 wrote to memory of 3280 N/A C:\Users\Admin\1000037002\1bf64a96e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 3280 N/A C:\Users\Admin\1000037002\1bf64a96e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 3280 N/A C:\Users\Admin\1000037002\1bf64a96e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 3280 N/A C:\Users\Admin\1000037002\1bf64a96e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 3280 N/A C:\Users\Admin\1000037002\1bf64a96e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 3280 N/A C:\Users\Admin\1000037002\1bf64a96e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 3280 N/A C:\Users\Admin\1000037002\1bf64a96e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 3280 N/A C:\Users\Admin\1000037002\1bf64a96e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 3280 N/A C:\Users\Admin\1000037002\1bf64a96e4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5048 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\66ed5fb3ce.exe
PID 5048 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\66ed5fb3ce.exe
PID 5048 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\66ed5fb3ce.exe
PID 4072 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4072 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2104 wrote to memory of 3400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2104 wrote to memory of 3400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2104 wrote to memory of 3400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2104 wrote to memory of 3400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2104 wrote to memory of 3400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2104 wrote to memory of 3400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2104 wrote to memory of 3400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2104 wrote to memory of 3400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2104 wrote to memory of 3400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2104 wrote to memory of 3400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2104 wrote to memory of 3400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3400 wrote to memory of 2032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe

"C:\Users\Admin\AppData\Local\Temp\e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\1bf64a96e4.exe

"C:\Users\Admin\1000037002\1bf64a96e4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\66ed5fb3ce.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\66ed5fb3ce.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1908 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c558990-19c2-4ef3-a0c1-0f6028c891eb} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {178885b0-55b3-4b17-bc45-1457e6aa0043} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3324 -childID 1 -isForBrowser -prefsHandle 3316 -prefMapHandle 3312 -prefsLen 22587 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {731eec53-05fb-4a15-8067-51939b86c9c1} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3976 -childID 2 -isForBrowser -prefsHandle 3056 -prefMapHandle 1484 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdbe2063-f6cd-4378-9177-780baa57bb9c} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4704 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4776 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8344ea86-652a-4da7-8806-5d30f6a3a8fd} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5280 -prefsLen 27025 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {425bd169-fbfa-4a8a-bb80-f6a069029b68} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 27025 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {111a9db5-51c1-4ebb-8593-1eada836ba8e} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 27025 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {678d7c01-ed33-45cc-ac1f-fa1dd73ea2d4} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6204 -childID 6 -isForBrowser -prefsHandle 6184 -prefMapHandle 6164 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eadae736-5736-4845-9d39-32f19d28f593} 3400 "\\.\pipe\gecko-crash-server-pipe.3400" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49848 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 161.99.165.35.in-addr.arpa udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49855 tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com udp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/2424-0-0x0000000000210000-0x00000000006CE000-memory.dmp

memory/2424-1-0x00000000774B6000-0x00000000774B8000-memory.dmp

memory/2424-2-0x0000000000211000-0x000000000023F000-memory.dmp

memory/2424-3-0x0000000000210000-0x00000000006CE000-memory.dmp

memory/2424-5-0x0000000000210000-0x00000000006CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 ba37a189ab35239217ccdd4f4766c71c
SHA1 3c0026b03213b6aa832f7e6221f1ebc601066898
SHA256 e57d84305b10f76279ab77681d47a4310497f4e9302d1da3e239d118ea96b765
SHA512 03940a1b0310e5a37931e531f4c65a53c9adab784c527e50065f5e22f10687d8f0f260a1c51453e4ffe780205c4bdd8603cac3a72bc461acb3c8ab6a20bee474

memory/2424-17-0x0000000000210000-0x00000000006CE000-memory.dmp

memory/5048-18-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-19-0x0000000000C71000-0x0000000000C9F000-memory.dmp

memory/5048-20-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-21-0x0000000000C70000-0x000000000112E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\a61151bbb9.exe

MD5 7df65683dbced3f7291eb39076e2e5e8
SHA1 71713f2fe64b7750c91bb5cf5f430bc4cd98fe1b
SHA256 04b82fddffd0735b575f82f9ae450409fe93496a86dfc5eef2f93e22e5f3be0d
SHA512 179aa98c467a961acac274b6f0a2e8f907304a82dabd53019de273255942e90debeb1948f1e293476a922391f17b695ca8ff2620320db3d61ecf19a3cc650c36

memory/1624-40-0x0000000072E7E000-0x0000000072E7F000-memory.dmp

memory/1624-41-0x0000000000530000-0x0000000000660000-memory.dmp

memory/4072-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4072-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4072-45-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\1bf64a96e4.exe

MD5 cb4e84cce0305faa0a43117b20174638
SHA1 5e0b5ea5e872486aaaaa28379ea08611f4a93a91
SHA256 5d3fbab87e5beaff194ad29e919aff1306fd5be2eb1beefaac069ffd5472e537
SHA512 a8be13a3d14c11f91b3d7feb7b5fc05aea026e00c1df8d01aef30e27da6441bb3734c406ffcd235fff7c4113b0bfe251cb7aec2620864d6689f6b2b8a37ce42e

memory/868-66-0x0000000000830000-0x0000000000868000-memory.dmp

memory/3280-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3280-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\66ed5fb3ce.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1592-86-0x0000000000DE0000-0x0000000001023000-memory.dmp

memory/1592-87-0x0000000000DE0000-0x0000000001023000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\da385fca-74d6-4193-8c67-3e578d22cd8a

MD5 9a99c5348868b687944edd56f279dcd3
SHA1 fb1a6f82f9e955507f4a624cc7d08cd3cc374368
SHA256 ee5ad3ace8806293ca7461edc044c894040cd62e5fa473fcb39b1e866b17866c
SHA512 6b08380d85b8ea61e58d86af1b355bbc2d3690a14c6e5a3d3b210b4f99ff5eb60635b0ba583f322fcb41dcba81841331f9b2f8a6e93554e78322990c06511d2e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\d609fc36-eac1-459c-bba5-48892600f835

MD5 f355c815616d3d08bd95399cf9b0a042
SHA1 ea273f52a74458315b847c9ad316f1a8f5726f2a
SHA256 30b740c4f6c3a279f4f68bdf795f06454e576acb5f14c347f8578c388b255983
SHA512 86c4e6c671e8e4e2e7d81e444f59d78b14fcc2a29f80fe0030b860d45d72f3ce3f998d9c2cacece0c31a6dec505064f0e5c5a0c3b916929618e5ed5fd35864ba

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\790a5dd4-7a14-484c-8cc0-064502d6ca6e

MD5 d1a4a20a790a1e47cb538c89dfeffe58
SHA1 0aa6c292042604e592c6fb9f66a53ab9e65ac280
SHA256 bef081e7f2fcd04e51277a021579380cd1903befc7ec531a2fb544420c1b9436
SHA512 7cad19f2c556e3b237a4919dd2b73a29b8be0b44adc3ba107621d133278b5a7d436a732384e5e90fe34d0ff6e91e9bd7fd45066701a073b1e5b1b2f6982af12a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 e5e8141e4d5e3e318521995f67a3596d
SHA1 935923323d080dae9db39284def1169e1be4bd3f
SHA256 d07834a7c9ff75095b7072e4ba3a1e5b5c6b0552ed53ce3bf93cb1a2d2d1e38e
SHA512 dc5ef4e28e5c622bf1c52fc483224c47d1bfbb1c8195863df3b2fe8fdf2df024485c56cd2d4c6f5b6568d116f9172e52aa922cea3619db7a100d0bab9d8ed469

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 555e68a2a0cd591f956e72bb6a06dbbf
SHA1 39d5d7d8ca89abb392f51eab1a34722fb590a858
SHA256 7de65404d69f70a88cc8c257a8e6121240a57ed2600be4d3967118a27c09b8a0
SHA512 d2e11d9c164269a02d66d7cc489ddf5a169f07f80b8caaae8e01f0017de91a1bf3f40b808a5905106e9f6cdcf52913ddf7d8a4f83e9f78384a7803f219bb73a8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json

MD5 72c860dd423c08d24206cc096c61aead
SHA1 ccdd7a66ad2faa1c0789b54ad2cdfa19547123f4
SHA256 450cb6b3d8a7058759e164f3b499845d76246cfb2529a3df7fc3161100b55894
SHA512 588d1aa82a673cbea94dbeef6570e0d81b0603126436e2fd9274d259e7571711bea453334f8ab1da96717be161ef0068c97d3209b6bb642c558791b9d1da7ad5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 8782f0a7ac7adbf6a274fa01b69c70ba
SHA1 8a5afe4a767ebbe88e6e623e6bc313b372995504
SHA256 c9bc469758c18d5dbd66c6e983c34e4684869487e2b6fc63b25ec09ce2a8ea1f
SHA512 86404ba045e36895c9b749588e3a7531764605e54ac23740915c76f9312a9d938b81339e067b0e2e569d50ca3a09ed76d15efafe3c9343661bcff875e9c10643

memory/5048-418-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-434-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-443-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-447-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-446-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/108-453-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/108-454-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-455-0x0000000000C70000-0x000000000112E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 561b45c247ea1d497312c7580372ad88
SHA1 281837b0538e258e742549c1618745915c8b3459
SHA256 eaece00cc7e6de46ed74e608736713a4f776c5c02b707434274398ded914ba37
SHA512 c0d1b6fe9523b8c9172810aa66b64cf55a8975d8ef1635de6074eca0ff3e777fbf4f39f0ac0f826c387a12c12797870a987639192fa0e404b228ba5b058af98b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 34af19d2de93225115980df80ba7c81f
SHA1 e35d069b3d98ee9940a03190694d1bb37848382a
SHA256 879a3ccad178bc0f145e3333ee7379e7ac1ea77db6018fa3d66f61d78bbf4b75
SHA512 31daa5926c346afdd033b8a513e516361132a9d36d321bed42d4f86d9a54000160f9ae25af71e9387e7dafe7b28a4ce40a3220edfa5d744fcb7952c3cde6f733

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 d8f23beb5549303048f142a5bb70feff
SHA1 865057561baf0a834d8038b84bf9ee0e8e5572b0
SHA256 f071c5194a7fc8a40c60516e90a7bd297f26ef1c73f9c712f8e0f7205ad75d33
SHA512 b88619e0a6aa08fd1add5c392d44f666d869b251dc0d63cfcf899dd22a1d6066a4f1351ff5d58728ade8107c3a60d71960d573c5188f46db630ed1e925737faa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 4e75e8f81c4890a5072995ba363a0a08
SHA1 086941994ad5c259f9a4af4c4f74970bf8eb13a0
SHA256 dbbf9df3810e111cfd58ca3cb40326e7d9d3a8113689d4adcb2a85b988437c71
SHA512 c27444ee005dbf378b3947f650517b9bab3bc458cbec372d558ca1bf6ca9c1642e4e83136a6c536cb86da841e1ec7f2afc52db654ee2fbe8d81c5a3a6daacc29

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 ab72d39480bdcfabd8464d4f52d3f849
SHA1 feb02b4991461bd1351c77d3b814a95738b3a809
SHA256 e249c5c8a9bde846388984df76487f34f4a412dc05c267126cae91b489e1e5c2
SHA512 00e0a85f1f5ca7e0ce639df9f120a1c852996c553306aa974bf6427ff9f415f60458f55ddcf5dc1c68a6c084f2fded2a296e527462dbe281af9f4d888c78d389

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 ae6e94c67fa7532929765994a5b8f501
SHA1 a2ef7e669114d4a238fba275efe60729d2bc98d7
SHA256 d585ce69b1ee0c930e13974c7755a1eb02f7753414478b8c5ffed041eee7cfd0
SHA512 3c7e787c8a9492cea2fb686b5541aefdf27a7f19f6f3ced7f7ac6c2b361ddac930215a382550cf6ebf087dc40f0ab526b116408dce67c0b27f491f7d26fe32ce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

MD5 fcd1de5d57c680b7cb4683bab6067e43
SHA1 11726c95aa05124098865b709601ddabe1688f94
SHA256 1f0f562a1f3f8e46f84321c61f908129ee4439f68b360773ff165addb950bbc5
SHA512 cd39d021a022b743d4f65a8e8ccf5395f53dba700fdbbf807f04aa5431636e6c6816319d043b1824ff08220be63746dab226ab681c7a938d86f89237457c1551

memory/5048-1022-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-1592-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-2096-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-2757-0x0000000000C70000-0x000000000112E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 4fd98e42a04d0c7642c4c815cd5ae00c
SHA1 946924d7daae8a5d2aaacd4d8721f7756b2cab41
SHA256 30969fd70ed2ed36f67522956156a0f0b49721d16db2e72d47ea72b00340b6a3
SHA512 d6569d3715d319eae672682fc6bdac7552e70b642e5a4adf686a9336a6a0cae8c410069f8fb1b1bfebe758a3050f1b9bc33a7df68f688f0559de46781642e173

memory/5048-2763-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/1316-2765-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/1316-2766-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-2767-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-2768-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-2769-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-2770-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-2776-0x0000000000C70000-0x000000000112E000-memory.dmp

memory/5048-2777-0x0000000000C70000-0x000000000112E000-memory.dmp