Malware Analysis Report

2024-10-18 23:41

Sample ID 240813-q9gfmsxdme
Target ce34e695be48df08fa41d59a053cedd0N.exe
SHA256 0ed0b53230753468678dee0d7f6d5566f6b26de475f62392c9a0c313d5aee82f
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ed0b53230753468678dee0d7f6d5566f6b26de475f62392c9a0c313d5aee82f

Threat Level: Known bad

The file ce34e695be48df08fa41d59a053cedd0N.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 13:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 13:57

Reported

2024-08-13 13:59

Platform

win7-20240708-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\754271dff4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\754271dff4.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3012 set thread context of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 set thread context of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\2155bea9e1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\2155bea9e1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2636 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2636 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2636 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1920 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe
PID 1920 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe
PID 1920 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe
PID 1920 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1920 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\2155bea9e1.exe
PID 1920 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\2155bea9e1.exe
PID 1920 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\2155bea9e1.exe
PID 1920 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\2155bea9e1.exe
PID 1096 wrote to memory of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 wrote to memory of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 wrote to memory of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 wrote to memory of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 wrote to memory of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 wrote to memory of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 wrote to memory of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 wrote to memory of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 wrote to memory of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 wrote to memory of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 wrote to memory of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 wrote to memory of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1096 wrote to memory of 1512 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1920 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2155bea9e1.exe
PID 1920 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2155bea9e1.exe
PID 1920 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2155bea9e1.exe
PID 1920 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2155bea9e1.exe
PID 2432 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2432 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2432 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2432 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 948 wrote to memory of 1292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 948 wrote to memory of 1292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 948 wrote to memory of 1292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 948 wrote to memory of 1292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 948 wrote to memory of 1292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 948 wrote to memory of 1292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 948 wrote to memory of 1292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 948 wrote to memory of 1292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 948 wrote to memory of 1292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 948 wrote to memory of 1292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 948 wrote to memory of 1292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 948 wrote to memory of 1292 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1292 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1292 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1292 wrote to memory of 1776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1292 wrote to memory of 2312 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1292 wrote to memory of 2312 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe

"C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\2155bea9e1.exe

"C:\Users\Admin\1000037002\2155bea9e1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\2155bea9e1.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\2155bea9e1.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.0.1599656839\1548678851" -parentBuildID 20221007134813 -prefsHandle 1236 -prefMapHandle 1228 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33b51620-24c5-4ef5-ac13-a502ee81b065} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1300 14303558 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.1.399070765\1453323635" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0082f7dd-e5aa-4a62-b177-8bd75410c614} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1516 d71b58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.2.776914161\2088471714" -childID 1 -isForBrowser -prefsHandle 2056 -prefMapHandle 2052 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6eb92778-78e2-4e83-b892-af5aafc28a66} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 2068 10562058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.3.1773181422\1653817324" -childID 2 -isForBrowser -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {963bf1c1-ebc7-438f-84d8-e5dbeaf1632f} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 2916 1d860058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.4.288312683\1441651590" -childID 3 -isForBrowser -prefsHandle 3764 -prefMapHandle 3752 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b403013-00ae-45d1-b9fd-6471d48715b1} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 3740 1f6f1158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.5.1541159880\961194328" -childID 4 -isForBrowser -prefsHandle 3888 -prefMapHandle 3892 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87ab84aa-364f-479a-8e1f-448fffa08ca9} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 3872 1f6f2058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.6.323509691\1052921000" -childID 5 -isForBrowser -prefsHandle 4028 -prefMapHandle 4032 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86dc75a7-1939-4d42-931a-a22500c3685d} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 4016 1f83d258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.7.3584914\1225411020" -childID 6 -isForBrowser -prefsHandle 4304 -prefMapHandle 4280 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {36d6c786-294f-4dc0-9488-3dace45c181e} 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 4308 1f085f58 tab

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49301 tcp
N/A 127.0.0.1:49309 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-4g5ednds.gvt1.com udp
DE 74.125.162.198:443 r1---sn-4g5ednds.gvt1.com tcp
US 8.8.8.8:53 r1.sn-4g5ednds.gvt1.com udp
US 8.8.8.8:53 r1.sn-4g5ednds.gvt1.com udp
DE 74.125.162.198:443 r1.sn-4g5ednds.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/2636-0-0x00000000013E0000-0x000000000189B000-memory.dmp

memory/2636-1-0x00000000771B0000-0x00000000771B2000-memory.dmp

memory/2636-2-0x00000000013E1000-0x000000000140F000-memory.dmp

memory/2636-3-0x00000000013E0000-0x000000000189B000-memory.dmp

memory/2636-5-0x00000000013E0000-0x000000000189B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 ce34e695be48df08fa41d59a053cedd0
SHA1 ca6204856cadc3e4afbfa719144701c9eb3227f4
SHA256 0ed0b53230753468678dee0d7f6d5566f6b26de475f62392c9a0c313d5aee82f
SHA512 df0cec22b76367bc8a34ef65abae5f8ccd79793dfb445789b0878182ba2e90a64191de6dafdb9215b094391b5df3e69a735a3eca6f184ebec219b61c28a3eccf

memory/2636-15-0x00000000013E0000-0x000000000189B000-memory.dmp

memory/1920-16-0x00000000009E0000-0x0000000000E9B000-memory.dmp

memory/1920-17-0x00000000009E1000-0x0000000000A0F000-memory.dmp

memory/1920-18-0x00000000009E0000-0x0000000000E9B000-memory.dmp

memory/1920-21-0x00000000009E0000-0x0000000000E9B000-memory.dmp

memory/1920-20-0x00000000009E0000-0x0000000000E9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\754271dff4.exe

MD5 f2a4333776f732782306983155f35001
SHA1 c006668c59bd567d36ee666aceacfd9d12d92928
SHA256 61fd7b57bc759945368126253d18e2cfbcf226a8506d02e44c59441cf16e0221
SHA512 798a1dc37355a7510f7e844aef7d2cac9a40d2a69479100a1ce2a5e8447b9c473afe1e0263fec972233d6c7703317eb0bf5572f1c5fd867aa1d1feebf11f002a

memory/3012-36-0x0000000000E30000-0x0000000000F62000-memory.dmp

memory/2432-38-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2432-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2432-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2432-54-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2432-52-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2432-51-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2432-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2432-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2432-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2432-40-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\2155bea9e1.exe

MD5 09e0dcce015c477013eeb41f46666de3
SHA1 689270c3b986ce1972b41a870b496393241ec9f9
SHA256 d02e922af9d858ab006e97b50ec7df58ced54f6215293dc88f75c263bc90faa3
SHA512 af05dd50ce05474e33615173fad8c4a0abc7b9b578f7492d60eabb71a2a0399e722ed547dc134e1fe9f04fe9bc5bffa12a9c8f2737c6ff939eacc870c747258b

memory/1096-69-0x0000000001190000-0x00000000011CA000-memory.dmp

memory/1512-71-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1512-73-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1512-85-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1512-83-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1512-82-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1512-79-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1512-77-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1512-75-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\2155bea9e1.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2200-102-0x0000000001150000-0x0000000001393000-memory.dmp

memory/2200-103-0x0000000001150000-0x0000000001393000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\db\data.safe.bin

MD5 550370f44559c8dc4a25cf01391bf9cc
SHA1 96c1bc498236608e607eda714e1ff92e580b978c
SHA256 31893326b3aa35c8446fbc20dc479b464b9f54d03daf34443292261d70f38611
SHA512 9a7754306f4d5a739e54ad5d4c8c6d3bcf2588a99e4cc97c5cba6ea677dc0e82f2d97aabf2739b9cf9dc1046134f73c1e942451e34f484099960ee2d8b9a2fcf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\b68cc9ea-ebf8-4f3b-92a2-237ca9ee5ac0

MD5 5b3728c6af4302e964bc9e7b0b88a37f
SHA1 d2b6675e6c7f21727999d9d6344536fd29f32c1c
SHA256 61cc2eeaa3774ed9d1e5de99cc8d28fa9e5b11c33dcf5b3b5e22ea6d5051b82c
SHA512 c521e6d87c5f6ab3d0f230b6aff9f17785fb7773261612d951b77c482333906c8d1782ddeb7389fcf3247270e27f18608f63790f98cd787a4bd4ab0efe6f34fa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\4c612703-6315-4896-a28f-8c2a3c2d7361

MD5 c576fa2d7805ea37e50a8bfe4e9a29ec
SHA1 472369a008626d5ab67ee734244d99defc8443b3
SHA256 f7a492fb378d1fec88bcb5e4270f0046d7ec2939af1d99aa27f429ede7a8ce50
SHA512 6ea2ea463f77688dc5113e6ca812dbe3bae7f50b23796e0cde104208d493a68ed82975bc563c3f705ce3e285d77c45867dd89be9fd200e7f0b404f6580bcfb55

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\activity-stream.discovery_stream.json.tmp

MD5 7c661306dfa8e3b7383c0b3bf3318f03
SHA1 71c85a91671c8bba7e6ff3fac3ca76d7b7ffa7e0
SHA256 a20ed3e0d41308ae3039fe3bd930efc782211435d14d45666a48ae026e7ecd25
SHA512 6d9418b84aebd6bb41c00b47f7ceb2149eef353c7c576154727826a42842d95c1223913ab2740b4fe7e9576c7dc561d3bf32d5efa82d2b47f7703764ecb9076a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 8e389517425231cbf6404e55e1ba063a
SHA1 6658941681e9b1708b40568178b4931df764629c
SHA256 e791c405b5a1992a46a7d3365f156378c4571b8c8d0401f664b2bae076fdd2d6
SHA512 573c422e8a9749b04a258055e42869ffce39040547f0fb2538529276760fc1baaa64e636888d1edde19ce18d7ed7a550845f989d418c6e41b4f53953ba46b119

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs.js

MD5 be6744116209fd3f332814483619f407
SHA1 70674a1f2047193400c192d2d35aecee9abe2719
SHA256 3d5f3f926f1187728ad0b0ee1c272925e89c7d3f7758faae0cc43049fe5147f3
SHA512 ec4d17148b936d0e9bc907cc14728d9a9a5ea49b71244349789dd129944ad15e547f534b0d71a5a3aa32deb2c1f77631974cb531c182f54237e7db0fe7a6b768

memory/1920-255-0x00000000009E0000-0x0000000000E9B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs.js

MD5 68c1911b018256d8b7b626f14e504788
SHA1 d9947b8776cc3817483f764b66db82e8e8da2f24
SHA256 f73fd59c8a2a85b34a1f1ea2f1a36ac4f14e6bf163c314b52c6ad1fda3a66643
SHA512 e432c2aa14243d452a80aca0eacc0df19a194aa353aad7696e91804149c5fe8d0c676d1a38036719167b368bdcd10eb89daceb3ce8abc29968bfb4018fe7a9ad

memory/1920-262-0x00000000009E0000-0x0000000000E9B000-memory.dmp

memory/1920-263-0x00000000009E0000-0x0000000000E9B000-memory.dmp

memory/1920-269-0x00000000009E0000-0x0000000000E9B000-memory.dmp

memory/1920-279-0x00000000009E0000-0x0000000000E9B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4

MD5 7794df0112b32a33a2086fa6201713f7
SHA1 bcfff1b99debbe747ed054fc44624b49481dc80c
SHA256 66780f465fd0bccee75144780e86c584729ee35e162edaa068877f5f16881a76
SHA512 7cc6c799f9f38cf514be7df62b45b8a67f9f103077ff6b3aecfd13c9459208425381541123b52305e579a9d16a74f816428e4557412ceb4499a41db8f18904c1

memory/1920-285-0x00000000009E0000-0x0000000000E9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

MD5 f23b927395c7c291e75796753a262e83
SHA1 064f82c335b12fedb44fa7dc30a649fe5af62c5e
SHA256 130bde26f1961ac67e6167f040e00259cbba485b85d4e0a2dcc75b00a29eb95a
SHA512 7963a758584c313905ea6e0883d3449c2b0350d564c32277ef4b2e2200809b41de49194875898b46beee6906e24c0057c2c8c2963e3736190f1e3c9866cc4ae4

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

MD5 a20d824a7518dc4b4955ad586973555c
SHA1 e0faaf0451930fe54f792efd0f4e010a1bdb6ff8
SHA256 f7dc7da6759b075239c1b5d4c5f59a2826df6daa4103afa396715996c8c06e47
SHA512 23382db1270f0ab27ab03077eeb7b38fbe5e7a5c614ffeabd71103426b54f338a36c33e0f967d2df5d88f8cfbec6b20c1cc32d1b4891b7f563a3d2314d8b2424

memory/1920-367-0x00000000009E0000-0x0000000000E9B000-memory.dmp

memory/1920-369-0x00000000009E0000-0x0000000000E9B000-memory.dmp

memory/1920-371-0x00000000009E0000-0x0000000000E9B000-memory.dmp

memory/1920-382-0x00000000009E0000-0x0000000000E9B000-memory.dmp

memory/1920-384-0x00000000009E0000-0x0000000000E9B000-memory.dmp

memory/1920-385-0x00000000009E0000-0x0000000000E9B000-memory.dmp

memory/1920-386-0x00000000064D0000-0x0000000006713000-memory.dmp

memory/1920-387-0x00000000009E0000-0x0000000000E9B000-memory.dmp

memory/1920-388-0x00000000009E0000-0x0000000000E9B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 13:57

Reported

2024-08-13 13:59

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1c117fb5cc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\1c117fb5cc.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 708 set thread context of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4232 set thread context of 4132 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\2155bea9e1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\f4da902613.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3680 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3680 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3680 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3128 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe
PID 3128 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe
PID 3128 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe
PID 708 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 708 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 708 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 708 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 708 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 708 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 708 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 708 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 708 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 708 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 708 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 708 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 708 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3128 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\2155bea9e1.exe
PID 3128 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\2155bea9e1.exe
PID 3128 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\2155bea9e1.exe
PID 4232 wrote to memory of 4132 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4232 wrote to memory of 4132 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4232 wrote to memory of 4132 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4232 wrote to memory of 4132 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4232 wrote to memory of 4132 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4232 wrote to memory of 4132 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4232 wrote to memory of 4132 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4232 wrote to memory of 4132 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4232 wrote to memory of 4132 N/A C:\Users\Admin\1000037002\2155bea9e1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3128 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f4da902613.exe
PID 3128 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f4da902613.exe
PID 3128 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f4da902613.exe
PID 1436 wrote to memory of 1892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1436 wrote to memory of 1892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1892 wrote to memory of 4600 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1892 wrote to memory of 4600 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1892 wrote to memory of 4600 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1892 wrote to memory of 4600 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1892 wrote to memory of 4600 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1892 wrote to memory of 4600 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1892 wrote to memory of 4600 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1892 wrote to memory of 4600 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1892 wrote to memory of 4600 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1892 wrote to memory of 4600 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1892 wrote to memory of 4600 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4600 wrote to memory of 2996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe

"C:\Users\Admin\AppData\Local\Temp\ce34e695be48df08fa41d59a053cedd0N.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\2155bea9e1.exe

"C:\Users\Admin\1000037002\2155bea9e1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\f4da902613.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\f4da902613.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df4d753a-6fe9-467b-b79b-8980736fadd3} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2388 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46d04b8a-abd9-4cfb-814a-8d3a0c97543d} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 3264 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb8d2dbd-b403-459d-bbd1-45eac18c8c12} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2616 -childID 2 -isForBrowser -prefsHandle 3968 -prefMapHandle 3964 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e16a4628-bca0-44f7-8a1c-3a399ae8faa2} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4912 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4908 -prefMapHandle 4904 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {253bb604-c43b-4718-b6be-84652129a253} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 3 -isForBrowser -prefsHandle 5588 -prefMapHandle 5584 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12cfcc55-d4dd-42a9-a30a-b4f5371c97bd} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 4 -isForBrowser -prefsHandle 5740 -prefMapHandle 5744 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5698f49-c682-41e2-b69e-4619481e2916} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5980 -childID 5 -isForBrowser -prefsHandle 6056 -prefMapHandle 6052 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc1dad92-58f3-49d6-bf61-503169ec5f78} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6052 -childID 6 -isForBrowser -prefsHandle 5748 -prefMapHandle 5752 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65159e3b-96fd-41ef-9cd0-3dbf247aa501} 4600 "\\.\pipe\gecko-crash-server-pipe.4600" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:60073 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 205.86.155.35.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.179.174:443 www3.l.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
NL 142.250.179.196:443 www.google.com udp
N/A 127.0.0.1:60082 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/3680-0-0x00000000000C0000-0x000000000057B000-memory.dmp

memory/3680-1-0x00000000771D4000-0x00000000771D6000-memory.dmp

memory/3680-2-0x00000000000C1000-0x00000000000EF000-memory.dmp

memory/3680-3-0x00000000000C0000-0x000000000057B000-memory.dmp

memory/3680-4-0x00000000000C0000-0x000000000057B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 ce34e695be48df08fa41d59a053cedd0
SHA1 ca6204856cadc3e4afbfa719144701c9eb3227f4
SHA256 0ed0b53230753468678dee0d7f6d5566f6b26de475f62392c9a0c313d5aee82f
SHA512 df0cec22b76367bc8a34ef65abae5f8ccd79793dfb445789b0878182ba2e90a64191de6dafdb9215b094391b5df3e69a735a3eca6f184ebec219b61c28a3eccf

memory/3128-17-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3680-16-0x00000000000C0000-0x000000000057B000-memory.dmp

memory/3128-18-0x0000000000FD1000-0x0000000000FFF000-memory.dmp

memory/3128-19-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-20-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-21-0x0000000000FD0000-0x000000000148B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\1c117fb5cc.exe

MD5 f2a4333776f732782306983155f35001
SHA1 c006668c59bd567d36ee666aceacfd9d12d92928
SHA256 61fd7b57bc759945368126253d18e2cfbcf226a8506d02e44c59441cf16e0221
SHA512 798a1dc37355a7510f7e844aef7d2cac9a40d2a69479100a1ce2a5e8447b9c473afe1e0263fec972233d6c7703317eb0bf5572f1c5fd867aa1d1feebf11f002a

memory/708-40-0x0000000072DEE000-0x0000000072DEF000-memory.dmp

memory/708-41-0x0000000000F30000-0x0000000001062000-memory.dmp

memory/1436-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1436-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1436-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\2155bea9e1.exe

MD5 09e0dcce015c477013eeb41f46666de3
SHA1 689270c3b986ce1972b41a870b496393241ec9f9
SHA256 d02e922af9d858ab006e97b50ec7df58ced54f6215293dc88f75c263bc90faa3
SHA512 af05dd50ce05474e33615173fad8c4a0abc7b9b578f7492d60eabb71a2a0399e722ed547dc134e1fe9f04fe9bc5bffa12a9c8f2737c6ff939eacc870c747258b

memory/4232-66-0x00000000002D0000-0x000000000030A000-memory.dmp

memory/4132-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4132-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\f4da902613.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3528-86-0x00000000008A0000-0x0000000000AE3000-memory.dmp

memory/3528-87-0x00000000008A0000-0x0000000000AE3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\050e4ec5-749b-4ea3-b08d-5a3a9464e12f

MD5 96c7c8f0679ba4cda5d06b5141e4ff8f
SHA1 36147276a156950b8d099b465b95b3ebe7bdcd91
SHA256 02e03a949295fd7c282f491d96392adeec1e394c7def20aa158a91a83bf942f9
SHA512 80d0851d4e804914411f4c6bc8cf4683e184dd70e45f54bef408a04aa6b4b0ac56f212db42387fa8914cd5ec54003b30508a1549221c351c73e45657330923ff

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\5b12b352-b884-4184-8192-2b7c6583960c

MD5 e8d1c0af041729385eee917f57aa08a9
SHA1 00dfae9f9a330f8b0bd98fe6d35ef40b443024da
SHA256 b01358f012068902690c4a0b0e0d28e2b33cadf9830771d31d1bc2d08b82df2e
SHA512 7108f537f2a649be28df35c8edd93a07f751db7c4acf5879b1c586bf45672ea85357e12956be9872b16cc49d2e211b0fd53e69509f0ad994af5e21fea7a4dca3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 21a38bd83bae72aee8a89be1564d4a9d
SHA1 e3c391a25e482aaffd55e6a899a105c9e901bb88
SHA256 56e2d0a8dddddcfe8ad03b0b75cd3bc47dfeca1fcc3fb3eea91456e260bef475
SHA512 dba6b49054eb792d730b80038b4f1919a5d7a7911ee46813c4b70232314aec2c8fb6b682e5f68722b49cf94a83624d0ccd7bfe1b48f0239524870bdb8e1cb260

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\1dab725a-f51d-46f1-b2e3-d643bf6f5798

MD5 258534c03657d375a6678394ac9b2e11
SHA1 c7aa18f3a2d2a9d51baac65cf0e3abedbd6cd3ec
SHA256 648637551dd990da78a4892602597d453f17cdb471d305a1121a066f60aeffa9
SHA512 86096332cd97d75556b3bf889d92f538fdfe05335670956bb06dcf3011b3a36bec5181288e7a807f53a61c7c34a9edcf2314b9c2680eee52885799130a8378b8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json

MD5 49572876323f50eb5170bab7b6eeff49
SHA1 5f7d2819117d1a0f4b8a58532bd31334d1195419
SHA256 0661d385ce629722999d56fe632ec06e661da894900a6d875e7186dd48d7f858
SHA512 33c7d338dd199a398f83e5064049fe5abccad4df9e42f8f3ab5c793dff5de23bc6a9a1094d31c7aff391220fb882a90a012860ef9f09870e8a334a2ed508bc20

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 27c71c1f82ddb30a877870892152b7fc
SHA1 b2fe7cbea22e105b3c1d8855b74ee1e3d867ff38
SHA256 f5be057e3e1a1cf407c961c497adcf6b6b15ff678b996cf440b15c7f609bf2a6
SHA512 0d2b5123b482ed160d7a254b46d18f0a8c4d3a7eca4d80a9864de6bb04b5b82020dda4aee400ab7ec1c4736da7e33f49df04d3f2e7125db2f1b809b10159b31b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

MD5 6df1f1f0ff85d605b33d008838e7c86c
SHA1 229c211ca43cc104fdd64be5caed18464a6aa8c3
SHA256 f342bb43711e3a080a02442a8bdd799d64899efbc80a7e63e4338807200f2393
SHA512 ec5feee94dcab65add1461c3056ae604b554e901f35761a43b0e5c293fbe8dd09d7c481e2471d1a471568a15faf773ef77559ff9e947c9f71e15afc2659d70be

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

MD5 2cad107db417965c1b04edfcd940a2ac
SHA1 e9c53f1029efb65c4ee4390d375c9837945bee51
SHA256 14bba022bd9ba29a048196de7295272bd60b6885058e39ee72e67625fccb6687
SHA512 4b24c899fe57654cc6cd65e78c22cac3cea55de68dcde49b9d33e1504882a02f8298211cabdebd04bd7c13739c9833bd42a648b2c67285404b5eb61f272dddfe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 31e26f53841d0ca4904a9c3b8215a0f6
SHA1 11bc748210ee80c2e2e7ee0d7560871efa4df86f
SHA256 262ae2f60cf73096fd7f31979692c2062e48af153b58e58ae2e69ce4a9e629b1
SHA512 f24df0c7044a14a65a8b2479fa87adb12f40e7143da076831a92523f4fc56e567bce7ca95ab722f0a5653d41e9ed4d6e8831304cea794b3a68fbf5a5dadd476e

memory/3128-423-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-441-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-450-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-451-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-456-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/5600-458-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/5600-459-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-460-0x0000000000FD0000-0x000000000148B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 c3ce2856fe4bfe9dfb24df046c273b6c
SHA1 6d4d27d9b26e3d9fa27ae10b73e0127c1e150cfe
SHA256 6dd033597a584096e861ab2bf949d6c7d7e9fb5d5ef1dcb26541d0a24204d60d
SHA512 cdc5ec41fddf892702497aeda164f6a7c2c5c2ba0ddd5c3eee3b7b7930591462a75fc93478ad2c43f42c443eb4cd844e30a0c6b958e980491f1d855c7c5e9b84

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

MD5 441453e26cab53990a41b3afa3d5e640
SHA1 65a3825316e81c0efa5b04c6c847588d224cf690
SHA256 11c0c2e1153d470a038701a1a326ab3cbcd16537930efad0005f10bf8bfcdb2e
SHA512 5224726f2d1e7db59a2f5fa0fd787faae16a5d89b4f819750cfa3d827b89f0f240decdd2f6178da1b6c6126f0a1182d18468c57cf332cfda51c70097831ba4be

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 223140481e62d1a13f561405e860481c
SHA1 056ae3544d372dba322220bcc28980947203fd3c
SHA256 fd7d4783489893945bdefe582f13c335808972a7725347ec66bd44d6af3ba699
SHA512 7fcb0db30dc5719c065c80044739711db2fc875bea13bf5553b7c4a61f74aa585886405260bec458cd4709e2309950a7943e0c71e9770c0487704212f4e64e40

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

MD5 13408e43671ef2f6989cc12433d8907d
SHA1 bc36c77501dab565793641a7f62e0138ee187b30
SHA256 f17cc4e5c3b3a6574fde0b221b1f6338508099fb924bee175df141ad2f35877f
SHA512 edb84f737c9d5f2612d248141c33070da5ce596a1b297c1bb4c0d3ea5e2a9f07eea22d84d95e63948a020669831367b0d5fa68b9e61fb3f5c8b0b6bac0fc1fae

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 fe29af8bc51a3d99988877c1520f7d05
SHA1 9d65bd777b141f5d45a0fac526abeb80455356c3
SHA256 71e564bec2115aef3c22e93fcf6c1cc625938a72d8f9b29b1f4c1a95be811faa
SHA512 21505f7c3c32673901774e1b91c3d024c2c2226ea6724e894ad904c3ccaf0fce637c5aa059607cb8e7ba77bac890fa8e210610825a5b575ab64b9ab2ab6892f3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 da98fa6ea7cc2f2808ec65e9edf89702
SHA1 0db18a79520a8a55be7396fea99a81bfbd5af9c4
SHA256 2218ee9f3eb55ff881522c74809e07a39347b9148b7d98ce85ed1aa91bb80d64
SHA512 7378f1bfbd6c31199a0b64c987f9e5f64a64509db11b6b4694a8e86e0af18878cccd5274424ca3f94b75dd857111bc55cc92559c74cc597941a4f9905a79c513

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 537db2f575011c73b88117386fffdbc2
SHA1 2acd544d939795ee962a50bf4b5dbd2ab5ad688e
SHA256 7ad1d0ba6fcc06087c9bf53270157b6941950f9600377fde36a4bdeb2ab4cb66
SHA512 57984d2ddbc6c472289cd9be1767763f68bf2121946dcc5f7ed10ef13666688909d80af2056f2c4415b41e75604c91e057de81655e63238f58d8016fca07317f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

MD5 a529cebac64418784a1079e4cc672b49
SHA1 709729bbd91a5f1b13a1a1308def5aa1f1716025
SHA256 ee3d87b9cb95f962b4450c44e5b4019452ad0fc4dcf44d789d53681babf52edc
SHA512 adaf05e3e307fb9d6cf2a1e4238d65ec6ff669156821118d1200aadfa6065f3d23671f4b527f976dbf3dbe927d0c97e0a486d02d06943f66e4307a158c396c03

memory/3128-1168-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-2233-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-2633-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-2639-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-2641-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/820-2643-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/820-2644-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-2645-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-2646-0x0000000000FD0000-0x000000000148B000-memory.dmp

memory/3128-2647-0x0000000000FD0000-0x000000000148B000-memory.dmp