Malware Analysis Report

2024-10-18 23:41

Sample ID 240813-nst93awdjq
Target 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b
SHA256 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b

Threat Level: Known bad

The file 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Executes dropped EXE

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:40

Reported

2024-08-13 11:42

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8e93e0185a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\8e93e0185a.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3396 set thread context of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 set thread context of 1996 N/A C:\Users\Admin\1000037002\17916c21f1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\17916c21f1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4736 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4736 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4736 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4400 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe
PID 4400 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe
PID 4400 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe
PID 3396 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4400 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\17916c21f1.exe
PID 4400 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\17916c21f1.exe
PID 4400 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\17916c21f1.exe
PID 1764 wrote to memory of 1996 N/A C:\Users\Admin\1000037002\17916c21f1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 1996 N/A C:\Users\Admin\1000037002\17916c21f1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 1996 N/A C:\Users\Admin\1000037002\17916c21f1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 1996 N/A C:\Users\Admin\1000037002\17916c21f1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 1996 N/A C:\Users\Admin\1000037002\17916c21f1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 1996 N/A C:\Users\Admin\1000037002\17916c21f1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 1996 N/A C:\Users\Admin\1000037002\17916c21f1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 1996 N/A C:\Users\Admin\1000037002\17916c21f1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1764 wrote to memory of 1996 N/A C:\Users\Admin\1000037002\17916c21f1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4400 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe
PID 4400 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe
PID 4400 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe
PID 4744 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4744 wrote to memory of 1496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1740 wrote to memory of 1000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe

"C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\17916c21f1.exe

"C:\Users\Admin\1000037002\17916c21f1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {679ee0ec-2a80-4e3b-a529-357eaeabf966} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {943d522f-749a-40ca-be1d-8353fd930a86} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3012 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41bc57b7-635c-4637-b1b0-06f95355372b} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3844 -childID 2 -isForBrowser -prefsHandle 3832 -prefMapHandle 3824 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f2f73d0-7c9d-496c-9853-bf2c698bd0f7} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4820 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4796 -prefMapHandle 4772 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e19ed5c2-0849-4ca4-93ad-6ef912d67893} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3804 -childID 3 -isForBrowser -prefsHandle 5160 -prefMapHandle 5140 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f439df39-14de-450c-adee-44a62bd3cea9} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 4 -isForBrowser -prefsHandle 4896 -prefMapHandle 5184 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2436cec-b880-4e46-b2cc-ca4d682f1c43} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 5 -isForBrowser -prefsHandle 5516 -prefMapHandle 5204 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0286d7c5-29a0-4ecf-9843-b452d493e2c4} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6012 -childID 6 -isForBrowser -prefsHandle 5992 -prefMapHandle 6100 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5025546b-eee5-460c-937d-8f574dd03f84} 1740 "\\.\pipe\gecko-crash-server-pipe.1740" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 g.bing.com udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 139.54.240.44.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com udp
N/A 127.0.0.1:65477 tcp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 127.0.0.1:65484 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.187.194.173.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/4736-0-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/4736-1-0x0000000077C94000-0x0000000077C96000-memory.dmp

memory/4736-2-0x00000000008C1000-0x00000000008EF000-memory.dmp

memory/4736-3-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/4736-4-0x00000000008C0000-0x0000000000D75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 8cfd11d6a5f1ba80b9f0ca53a2f35b64
SHA1 6eb30457da8fc3b449da94b37620dc8bc8e6d884
SHA256 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b
SHA512 c452673edda6c6b02894bb92121ff230ae0167bfe7b8645145dccd33e0a1a726dbda8e6abf5e7432e75f8d49c3e2be81d454e3e34515acd5659ad64c55408de5

memory/4736-16-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/4400-17-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-18-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-19-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-20-0x00000000007C0000-0x0000000000C75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\8e93e0185a.exe

MD5 b7cb9408ec3a1dc9887d66a2486bba84
SHA1 aeb00177710bf797ced31a0b010a8479e04a1df6
SHA256 3764af516112d1eca7d13f26f5a62c0539ece509d8ca370085f5ce5522df5975
SHA512 363ad813ac09ee7a10b6d290e56b4301182ae1db638b5c35d08af3b3ec59deb52d22424bf9b6fe6cf86361ababd7be8a766989aad28305e3f7858b0f3285bb3f

memory/3396-39-0x00000000738AE000-0x00000000738AF000-memory.dmp

memory/3396-40-0x0000000000DB0000-0x0000000000EE0000-memory.dmp

memory/4744-42-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4744-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4744-46-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\17916c21f1.exe

MD5 5db5a3f06b620db20b518a768af52ff0
SHA1 627943735db2423a4e477e51a4f13d285c1c5c5b
SHA256 5f969cdb5dd215f67b7668507b227129f1a5699bc2999d4ebf049bda5a825f52
SHA512 adda99e0edb76bc3f53b3fd56ef8c1b03fd78d410a856d96d6d673ae22156ccf6e52b4154cbb6d5ec1076b04d030cd841b311c2cdeadca867a054ce22b0e440a

memory/1764-65-0x0000000000ED0000-0x0000000000F08000-memory.dmp

memory/1996-67-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1996-69-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4608-86-0x0000000000500000-0x0000000000743000-memory.dmp

memory/4400-84-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4608-87-0x0000000000500000-0x0000000000743000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\2a777787-cc19-4fff-a9c8-11ee0c5eab1c

MD5 74fe160157b27f77bffa54f3206914f4
SHA1 f79af85d952cf9c7a9a78cb8c4b55ed6215e9825
SHA256 f168e8006f22bb46897a0c895e6dafe93d1425804b31ae2047fe3526d8cd2c91
SHA512 a6b6514c3f2f9842f687ce9db25e6d88ac80daba6ec15ef1ab0a75f481eff667b8b2f1bebdbe1597bfde368ca17ca604da4423ad79296c3f46c34561f0ee9839

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\0a0eb32b-a3ad-4568-a44b-1d7fd7c3a796

MD5 58ebcdc327aa05e71a65e796c0e3c885
SHA1 48365ccf1bbf32650944dbb9ac52b1619cf1341d
SHA256 dcce2662a8a19448272c86f738dd9ddf20fca571e90a16fc8689f330cd38a1df
SHA512 87ab0bb4ff07810496f1014ca7f361ddca78b8cf6b73a1aef1faaf66d6e3a4f3f238c63b02bdb412fd88e1168320a9a1a2a714037ec9b2928c7e03f9ef018d95

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 8e2e55804b1f8d66720f9223ae8f40bf
SHA1 6430446fe609edf84a2c7fd7b2cdab3e6e3a82c2
SHA256 7d0e15430ce14dcc2cf1d852f1c4c6c831b070f6604e417c5c71bc48fd48c25f
SHA512 7a1d4926d486b709d3123e2677795796699796c127acf61e336c88cfa947edfe8be1c53c8f77769cd6648dcfec080ed86d214b45485cd1a6ca4cbbd139f52fd6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\fd287f41-e7a6-40b6-9dd1-5a5efe514a39

MD5 33fda98281be9129f9c230cc2b8d921d
SHA1 ba352cac704f2b35aed8302ae48c222ffdeef07f
SHA256 217213c3fa02ae320cc345ad50606146ec45102b8fb207d2a4f5a1ac1e1510d0
SHA512 87ec9777f66e311717c9bf9f79b403df314301a76d282ed12e1a53f50ee3409171fdb809260030154b7e60bde29b72a9f367d0e97a758ce87ebfe22ef4eb2fda

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 ca2d830c4cd3178f683771e1a2537b32
SHA1 ede41f9391248cfdcee9fe8a7596e53c703ef0d6
SHA256 5aacc13f396ac42d79caef65fe58ead149249b8457065fb1de95d204911fbf0c
SHA512 bc127ce42a6b5837ca75eca84a2bac50ed29e28d7badf648f1213143cab430df9c5e47f2f06ff19aabe8bcf5f3527a513deab0f6b82f53c5ee2e06c3b117014f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

MD5 c5e01178834d398121f49cb7efa1ffb1
SHA1 22977523093d1230f0958ba418a2ccc7768f804c
SHA256 d3ceea71051972cc2d850528ca3e44f1f9b1e48d920d4276452da219968bc7f2
SHA512 488dc1be567ba80bcd4248c9a571367ee9cceb41851d6573e9d022b6f795b7531106b181bd7ec1c320442dbcc51f281eb61f43ae13f2b35e7c38b4fbbd6ba803

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 04a13330cd5d66d4776e9db2a925c07f
SHA1 68813597929bd79406e9fb1baec6b56d72c0dd4d
SHA256 cf8516f60b373c7c1022dd32edd8ddec729509c4d27cb25f3a6775afff90fdf2
SHA512 bbe19ae9800112c23ebc2990abcab1f659eda4087b5df617f196d5c12114fc696be8aa57f94e40774616e8f29e3ad2f2445989d1d19cefd8d609eb27395f6fd5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 e104c09ca8544556cf2d76aa7bb1574c
SHA1 aa7a48795f25ecebaa26df540da3cf016e60376d
SHA256 4e2e3571fd68e9e7e1042e3725df913a764bfbf575aa6a4669c355d0b2fec66a
SHA512 b65340d0ad093708f21e5c55c952a3c2d666cd69fd989f7fe2555856c3ef16d2b1ba6d850fb0768d4bfe082c2e62379ab48cf41799cd9de08482aae3dd4be540

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 635c1ddd9c42ee9bdff35d7f130f4476
SHA1 b2eb458487a1c56c925c16e413bb52ad7f4b4eeb
SHA256 ef853b7c34b2df729bfa2b08cd83805ab052d3ae619856427fd3269748ba8d61
SHA512 d2d94b30b4dee5c74a13e01bf5c4928b61ab3b7329f30f23535a7566b2461c17d6e060f726477cd6e6ac118d198b7a4e2baf4510dfa2d7bfcc0e4740c3be1a57

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 744aea72875dd25032f2102720feced4
SHA1 2a6f5243f6f8245996d13c78cb172b24da673983
SHA256 309e369c10cc6b73e8b582b6fa1100df45a5f417896b4cf1d4e79db9136aef28
SHA512 4a1a99dc603a849f189477e4fcba32b31c9dd3464ffb18f743cdfa346ae97459151f940d674112f5d24d7488ab9d331819c1ae6866d15651b695ea7b15518c3e

memory/4400-436-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-445-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-446-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-453-0x00000000007C0000-0x0000000000C75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 18c5504095913a8409fea3148ace184a
SHA1 650cda1cd07fe0b2cfdfce3310c8cb2169964473
SHA256 ebc2e9b607402881be0c6f72be8ca9d0e8cb495b2a815d2f125290a1f66a11f0
SHA512 1b7346500fbd963dbfb9ceb3f7d785fa1a568cdf2cad23a851bcff022b99ab104544ed1869766685c28e50763de38dc111df4347c534cf6f3dad5f97ba0b00c2

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 679fc0ec596765c48e65e980a37e22bf
SHA1 95f90eab47ac9fe8a6023f12ce511acb81126108
SHA256 22bbaf3d52eb8e4869a2a010349fb24eb80f470ef27ca2333d0da1ffcb4bea11
SHA512 42892dc7e201dc102865b921c3f7d0232a161eae47bd41f92be3edc9481d260227da5ed4de261ece79268e99fbd3b0adf439d1c335bbc748b21191c7ec46d455

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 cd56f755f0eb22c5090da70d3900d310
SHA1 cabf393c511c2a627c520ac20bd8207832a1cb8c
SHA256 633cc8ac27439054819ff276643441c227e4268cfe2ca428ff8db0de5cf7c8cc
SHA512 61e4fb871db1327efab16401c4c36775daf2be7cf8beefc7ab9e22e049be47f512b9e8066f953f54f4b0ecc9588a5aa3ad5584821da768e3531c4fd9fda47246

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 2927a7d18f4634e823aac8a35195a22f
SHA1 1669b4fe7702df3cf4ca0e9d6af08959ed289192
SHA256 6b4e71b8e1f529ff68c400ec47114e0dd8ca56836502d9f2e1dff039cf69e05c
SHA512 c978a0de03389ed3ff5cb416f1bf44eea6b8f8d5dff698699af9ce20accf1a96d7d2ffb8ee608569ed8aabaadf1013b3764657091d23fb267e23710b815febcc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 4186feba1257cb4c9d0e0b3799de4990
SHA1 0406c5a8820b7d31237a44ae1af0fe75bba175ab
SHA256 5479a5723ad3b53425e158411e436d393e51885f9d7d87956804eb776eb1ed5a
SHA512 fb178dfe31988329546fb41835630fcd39d6e4442fd14ff04d80ab4c94c814100aeced481d8b80eece1942db95c394c979bdf45a5a682b313f03a36509742e84

memory/4400-668-0x00000000007C0000-0x0000000000C75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 b266c87947683f85424703b5f9305de2
SHA1 5d38b3cd9c0cba4f612909e04605459cee9721a3
SHA256 8ad007ee35a0e78031fe8d1e00ddb692e5a1085119694c3d61baa4c266b0304e
SHA512 5bf63c1f5311f7de9e432c3fcedbda10eab4679b65e4d136c456b6d5a349761343d70d63cae2252e4217e7b7e0d5e7f966e6bf17517374b77b0cf2ded4009750

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 d79d55ee8bb20f323964e6beffb4098d
SHA1 1a744c4caaf8fdc6b00c2f9bad8522d0c339ebb8
SHA256 7a12318489f66d7e321b33cfd49840e29e3c42c7041854d039788bbd946e30dd
SHA512 74842bfee5f4c8abd89e57b14e068225eace2688b4280a01e463ced7bcc41b6723f7d0a0423c45ab9c65e75992bc157c73c7f8ee12b61b3cb784ebd70d2028cf

memory/4400-1871-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/5272-2001-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/5272-2048-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-2624-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-2628-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-2632-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-2633-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-2634-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-2635-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/1528-2637-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/1528-2638-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-2639-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-2645-0x00000000007C0000-0x0000000000C75000-memory.dmp

memory/4400-2646-0x00000000007C0000-0x0000000000C75000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:40

Reported

2024-08-13 11:42

Platform

win11-20240802-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\4a64ccf7b9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\4a64ccf7b9.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1884 set thread context of 4400 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 set thread context of 3200 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\b9cfe2f0e5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5088 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5088 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4816 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe
PID 4816 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe
PID 4816 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe
PID 1884 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1884 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1884 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1884 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1884 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1884 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1884 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1884 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1884 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1884 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b9cfe2f0e5.exe
PID 4816 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b9cfe2f0e5.exe
PID 4816 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\b9cfe2f0e5.exe
PID 4088 wrote to memory of 2524 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 2524 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 2524 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 2908 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 2908 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 2908 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 3200 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 3200 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 3200 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 3200 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 3200 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 3200 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 3200 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 3200 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 3200 N/A C:\Users\Admin\1000037002\b9cfe2f0e5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe
PID 4816 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe
PID 4816 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe
PID 4400 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4400 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1176 wrote to memory of 5052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1176 wrote to memory of 5052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1176 wrote to memory of 5052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1176 wrote to memory of 5052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1176 wrote to memory of 5052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1176 wrote to memory of 5052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1176 wrote to memory of 5052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1176 wrote to memory of 5052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1176 wrote to memory of 5052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1176 wrote to memory of 5052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1176 wrote to memory of 5052 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5052 wrote to memory of 1412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe

"C:\Users\Admin\AppData\Local\Temp\122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\b9cfe2f0e5.exe

"C:\Users\Admin\1000037002\b9cfe2f0e5.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {975eadc8-f5fd-4d82-a3e6-4fe0dc0a3c89} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d590855e-1556-4711-a10a-10767eddecde} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2876 -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3116 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23b6db85-65cf-4f17-b587-45f6f85b1b8f} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4080 -childID 2 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af925b83-fc6c-493a-bf22-910ada20cf0e} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4984 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4960 -prefMapHandle 4956 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7876a455-c1ab-45ee-835b-5b0f5f961b6a} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93f65dbb-ce34-4706-87d5-4b86859f841b} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 4 -isForBrowser -prefsHandle 5792 -prefMapHandle 5788 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5df9f10-7203-406b-ba6e-6d6c47bb0bed} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5576 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15b75db8-473e-42aa-a231-7f7be8872b31} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6316 -childID 6 -isForBrowser -prefsHandle 6236 -prefMapHandle 5972 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d093b9e-2d47-4f3f-b2b7-32682748e521} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
N/A 127.0.0.1:49840 tcp
US 8.8.8.8:53 205.86.155.35.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
N/A 127.0.0.1:49847 tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/5088-0-0x0000000000390000-0x0000000000845000-memory.dmp

memory/5088-1-0x0000000077356000-0x0000000077358000-memory.dmp

memory/5088-2-0x0000000000391000-0x00000000003BF000-memory.dmp

memory/5088-3-0x0000000000390000-0x0000000000845000-memory.dmp

memory/5088-4-0x0000000000390000-0x0000000000845000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 8cfd11d6a5f1ba80b9f0ca53a2f35b64
SHA1 6eb30457da8fc3b449da94b37620dc8bc8e6d884
SHA256 122fd9bf6c0a21c449845f825dd836f25e7da0bc7557e0924132ddd3fe66248b
SHA512 c452673edda6c6b02894bb92121ff230ae0167bfe7b8645145dccd33e0a1a726dbda8e6abf5e7432e75f8d49c3e2be81d454e3e34515acd5659ad64c55408de5

memory/5088-16-0x0000000000390000-0x0000000000845000-memory.dmp

memory/4816-17-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-19-0x0000000000611000-0x000000000063F000-memory.dmp

memory/4816-20-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-21-0x0000000000610000-0x0000000000AC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\4a64ccf7b9.exe

MD5 b7cb9408ec3a1dc9887d66a2486bba84
SHA1 aeb00177710bf797ced31a0b010a8479e04a1df6
SHA256 3764af516112d1eca7d13f26f5a62c0539ece509d8ca370085f5ce5522df5975
SHA512 363ad813ac09ee7a10b6d290e56b4301182ae1db638b5c35d08af3b3ec59deb52d22424bf9b6fe6cf86361ababd7be8a766989aad28305e3f7858b0f3285bb3f

memory/1884-40-0x0000000072D1E000-0x0000000072D1F000-memory.dmp

memory/1884-41-0x00000000007E0000-0x0000000000910000-memory.dmp

memory/4400-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4400-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4400-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\b9cfe2f0e5.exe

MD5 5db5a3f06b620db20b518a768af52ff0
SHA1 627943735db2423a4e477e51a4f13d285c1c5c5b
SHA256 5f969cdb5dd215f67b7668507b227129f1a5699bc2999d4ebf049bda5a825f52
SHA512 adda99e0edb76bc3f53b3fd56ef8c1b03fd78d410a856d96d6d673ae22156ccf6e52b4154cbb6d5ec1076b04d030cd841b311c2cdeadca867a054ce22b0e440a

memory/4088-66-0x00000000004F0000-0x0000000000528000-memory.dmp

memory/3200-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3200-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\648bc05d34.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/580-86-0x0000000000CA0000-0x0000000000EE3000-memory.dmp

memory/580-87-0x0000000000CA0000-0x0000000000EE3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\1c783b1d-4242-44b8-afa3-60532c060855

MD5 25c2049606c17b6a8437ba738525259d
SHA1 7ede2c2dcdb930a8e56f209846dcb25e28e1728c
SHA256 501a244e069a66f955bf361891dfae95bdbdf2d32605210a90a05f1c1a90095f
SHA512 fbb31177d16945dacf0d54c0f637dbe420cbfa225474af4610cd192a69fc230836476bb66a0cedff2ef2aa47094db1926a5d0671a2df6ea0bf26dac33d5c5ed8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 a58bb3dcdbfaadcd3e78427f89e0892e
SHA1 904089522b10788c1cef50b45571e27f6e8c0479
SHA256 4a9cfd2f77e1eafee4a13383d3975bd2f1ac5f2099d2f8acba9dd5c45e62b6e0
SHA512 754c8c6aaece26c4451607edd46de4c261fe9969425ecbb7ddbde36472e4b0c2bc15d8795305858913aa1c1d04b848e0b9b63b3dc55c55dd8cd40544232cc72c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 0b898f18003a503b9342096a6e911420
SHA1 648068b2e55f18d89d79b30f32b920b16d1e36f0
SHA256 3a7836de6f7f3d1c5eda5e40723da62da26e18e92f515ffc5b27f090a052f1d5
SHA512 932bdfa3a8098d6e8005750b6d3fb1660c732363bc24911810c418d0ef9e7756c618c087486e1a66939137c0b8d24ae1f40b3cb487a9cf06e3a212ef16eb5bd6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 cdd196094b4e977766815b77775156e4
SHA1 305d6bda086811eeb498ab1ca419c613deecc6dc
SHA256 c3950d44afbb3b669803756a695de7ecc67ca932a15a7e970de6fcac0c42b5cd
SHA512 7920ec3e058e1fd1548176e3a5ecbb266e90ff34e08a7323706ddf9f5c479a14a2ce22bb59e72c7a886d4ad58faefc09f983859823ebe6b510d85d6b4ae98997

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\eba68137-6d06-4120-8390-bbc6dcfedaf1

MD5 9a4d5319a42e73e70a5c6ef0ab5c5aa2
SHA1 646f9420c059d8f631ca5a552ae61ba9328a96f3
SHA256 67053128a9613d3184ee8dc469a139aa0c85d51f525546d5836a62cf2aa2a3fc
SHA512 8ebcd20ef8ae8664561ae291b83c6aa038c5427c2ee734cbf608d8878c11fef7cee921517f79500c1d4d6abe4a802c43246552937948610bc0d5cc9a8a2555c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\5c99701b-d54c-43d3-808c-c5ac1b6a782f

MD5 27a66fba6cd01b1dfabafa1721f24847
SHA1 1635d7d176d1da279c29b915ccfe1885e7db653d
SHA256 0f20d9ddf74858f8f4c09eea7818aaf39d80d99d707c0b64b16a16c35404dbca
SHA512 fcf3a981a2a031e17eff362d985735486155033c01147db0b4b0a01b69b8c5f2804403c0bc54ec970916052cde06f699bfb619dacae4d7ce62832acdc94d23df

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

MD5 9670634ad26b5369dbe399ce80c573c1
SHA1 4f833973367ec596efffb238b4654af8a7535a37
SHA256 a8fc7003f80ba3a3741dd218fc1d05f9f4f49c43d9bcffc8b1b813658ccf0f10
SHA512 50df36ebdfd9ab7d9641cf49b2eaabbbcf46eb5a964066b05ab9d8c8e0eebdb93ecb26b3dc6d5648391f4edc466f26324ede92f2f7dbd3a7ab64ca16d6377d0e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 c0655ff16b56590e22aa3f04ab2215f1
SHA1 cbd3bb14f13efab6aa1c64b03e9490cdbe303264
SHA256 02e2f85d76de8cd92f3cd6575a24b6667ffa3c4c4427d252c97025720a536d69
SHA512 32b17fdc5275a9343ab1d0cde43f228137636817b044a4d8fa916eaf8d309fff3583f5ba078ae7f114f105a0aefc0e8274e7b290ca3866a84e8898402749d857

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

MD5 188054a4b674eedccef7e0dc011902a4
SHA1 30d504dcc8b9688bd9d25976830fea6e81982732
SHA256 11ab3b11b12717842c5daba83797be9431988d926cb6b05c6afa437b62514fa5
SHA512 813f3ac78c28e42bfbc3ffa6e9edc8dc43639ca10c3aeebb1eed8d3ca76b2326765ea5bbed9e910968d96536f1635b2fdffa458a8b0cdf3e0453c420662ae06e

memory/4816-388-0x0000000000610000-0x0000000000AC5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 5aac6b8817db5333c11ac8330c21e8a0
SHA1 94604e943679876a01c40d89999127d329142754
SHA256 123d075cc44d65db6d2357ca1c219f2150a59ade573fa2e8ae6183f6ee77e154
SHA512 1ae698565bd3f99a3ce98302e6cbb4e947107f5f21387d6260ab71c26de5bedf03c8823501318296b68820271f49f0279f5b36e6baf4bf3b6434d13e991d9780

memory/4816-442-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-443-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-453-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-452-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-460-0x0000000000610000-0x0000000000AC5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 b9b59101b70af6d278aff306ea53370c
SHA1 88dd07fe5bd245fe1c0656bab4304053b5461818
SHA256 864dd027c90d36f992b67074fcaa04376263fa30da32f46a62fe3bcc69c24a7d
SHA512 304bc6f0cd72f31b10389835f82fab6eda3785c685b357256a688f9256ca6f02aea81080a6f9cbb05ca6036469bb5d86a49b6bfc5dd4eec1a160833b9d10f11e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 cc92536a7e57f9977777ef3f0c8ed767
SHA1 a24fa1f2710204057df5b911cc51add34efcb42b
SHA256 3d46d44f9e9a4d5f6a5d2c47017bc95e8f2267d4a57a84c31124ae65a7e2fa12
SHA512 edbceddaa00bd1b1d8cf754280385d8222951980bfd063a630500c99f2bcabf28130f3f80fed99a5c816167abc3a82af8792e261e285458b08f22c0597bf1120

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 a956c5b836eeef1d83da70bb2b7f01bd
SHA1 809d9d6a4b39719ae8470339c96f0fe8756ebe4e
SHA256 1e223aba08cb20d61a573def10adccce110ca8acdba2aedaf22cd85f1751954a
SHA512 47c54b46ea6de7fb7663d4c5095ca0b0eb9594bede57b8be4b092600b3b4aff6107a911939897b693049ebc8b02fe1a3c3773c434708686490cb6b54f10a1380

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 fd893203c6034e106965b232867966d9
SHA1 7dc800a3f286301d07c1e2effeec836d4dc770e8
SHA256 3f3be488382fe8c38c773dc5f40a2f19761935b7372998a964aab478ae1ebf69
SHA512 952550f414c0b31521d462d757673f0b68dfd664f0d5e3f7e11af4d74867b05aa54600449a102045b454c2e1c4b2b0cbfe55a921f418acbdd97ff312b50f48c4

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 a18b74fcd5c47189a0363ee6cce56a7f
SHA1 7b95ecb9569bcd119d855db1684a6176712770c8
SHA256 8d4b7644e994ae2603fcf92d7c2eb52550e0770838fd89c2396029cb0c7015ea
SHA512 3b84ad37b2edb826a261062a1443f863d3deedc027212846c8062036f28f2910d844ff4e1d323f6d3ff8a3641006e09f9c79e686c110084fbd0c12397eded4c2

memory/4816-886-0x0000000000610000-0x0000000000AC5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

MD5 2ed92d17ff23343f62ab091fb56027cd
SHA1 c460cc85131d66ebd7c68a64862be6e3423afbc0
SHA256 6fa0b6f1054805262b121018bc01fb92d6054edce83a5fe20b31943900063c96
SHA512 32795606419b38bd1fc81d3f848c0d481ebebf757e418a0d8756e2d522aa8558784c9c53b31cc04a43ff1be42edfcfdd5d440a4261d461c22214556d21ade479

memory/4816-2071-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/6096-2072-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/6096-2123-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-2589-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-2595-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-2599-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-2600-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-2601-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-2603-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/1052-2604-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/1052-2605-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-2606-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-2612-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4816-2613-0x0000000000610000-0x0000000000AC5000-memory.dmp