Analysis Overview
SHA256
d35ce3c05cc9670b5f3f0ec95f63e0ac8d3df6aae8bb2243cda70f9ceb99230d
Threat Level: Known bad
The file WhatsApp Images - INVACO PVT.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
UPX packed file
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 15:30
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 15:30
Reported
2024-04-02 15:32
Platform
win7-20240221-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe
"C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.0.372657342\2125626032" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {762c97c4-e922-44b1-8fa4-50406b2fabb0} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 1280 11dd4258 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.1.627132670\885266092" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcf781e3-5d50-4151-a666-2ea0d39bcfd1} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 1484 d6fb58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.2.1280230134\618838481" -childID 1 -isForBrowser -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c52ee0d-74fa-4b99-8520-2959a7a236eb} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 2116 19e7bb58 tab
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.3.450262673\398843359" -childID 2 -isForBrowser -prefsHandle 668 -prefMapHandle 608 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9806469e-e69d-4ee5-8c3e-4d47a68406d2} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 2520 d71958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.4.447108278\1141271293" -childID 3 -isForBrowser -prefsHandle 2876 -prefMapHandle 2872 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {334b5e23-7f1d-4a0e-97b2-9802f0b5db7e} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 2888 1b8d6b58 tab
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.5.185524218\493553630" -childID 4 -isForBrowser -prefsHandle 3712 -prefMapHandle 3716 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d49ad0eb-e68b-4e90-b1f2-47f7bac31c1e} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 3696 19ff7258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.6.413775371\1982450434" -childID 5 -isForBrowser -prefsHandle 3824 -prefMapHandle 3828 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d179b445-78f1-4498-a57c-8df2511b1476} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 3808 1dbf6958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.7.930062063\194217996" -childID 6 -isForBrowser -prefsHandle 4028 -prefMapHandle 4032 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef23003d-b5ca-4916-9e47-148c7c9f0144} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 4016 1dbf5158 tab
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49214 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 44.239.148.246:443 | shavar.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:49222 | tcp | |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| GB | 88.221.134.155:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| NL | 142.250.179.174:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| NL | 142.250.179.174:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r3---sn-2oaig5-55.gvt1.com | udp |
| FR | 74.125.4.195:443 | r3---sn-2oaig5-55.gvt1.com | tcp |
| US | 8.8.8.8:53 | r3.sn-2oaig5-55.gvt1.com | udp |
| US | 8.8.8.8:53 | r3.sn-2oaig5-55.gvt1.com | udp |
| FR | 74.125.4.195:443 | r3.sn-2oaig5-55.gvt1.com | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.northcuttmediacompany.com | udp |
| US | 34.149.87.45:80 | www.northcuttmediacompany.com | tcp |
| US | 8.8.8.8:53 | www.healthinsuranceudeserve.com | udp |
| US | 72.52.178.23:80 | www.healthinsuranceudeserve.com | tcp |
Files
memory/1736-0-0x0000000000A80000-0x0000000000BEF000-memory.dmp
memory/1736-11-0x0000000000120000-0x0000000000124000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\datareporting\glean\db\data.safe.bin
| MD5 | c7bd324b91566da56df05bf3d7cf9d7f |
| SHA1 | cca98d17c907020c51c873f65bf0bb892f445fa1 |
| SHA256 | 05d4fb0949b43e5a9d367f87f4589ba5ebf3c8345a3f706ed25324c32d1a6ee8 |
| SHA512 | 1bcfa03220028321d74fa1ce39d84847a8e1d7e42ff0cf392d824498fda0ce099a0e232552402b4defc885c3d8d0f523e28612231ddb12c60b4e70e148922226 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\datareporting\glean\pending_pings\f0eddca1-2779-4bed-a58b-746801c93fd1
| MD5 | 70c7bdda4075111b59dcbd76ad5a5a61 |
| SHA1 | 9c1bf170b499ca6218f54027bab13e23202a4b04 |
| SHA256 | a16cf4cb82a519358cbb2386a69123259cb821f36e3ffe5722e3ecd83c131b90 |
| SHA512 | 96ae1ebbbf092dbb405bb5cddbe8afb94f9e3d8aeb9804462b8f795a250596ee4a56eec8a68fe6f102341da4e45a5a1e14408a84309cff4d18c446c1923eb0da |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\datareporting\glean\pending_pings\c87cf5b2-0184-4bd4-b20a-991ad1f88c5a
| MD5 | b17df747abd3e1bdd99cb5bcd5ce8040 |
| SHA1 | fed2a13c296c8fe54fa6e67a3acc256c95c0d92f |
| SHA256 | 5fa762f37e6bebccdf63bfc6efa289e54465e6ca2f0aea2f4fe838700d6db996 |
| SHA512 | 669c661b131d59c62ae335ebbf341dd0ad9d2a0dcfae107abca32b1cfb5144ff5c510a9471c0c1e9498501979b874ef4f1e1e64da1cace14df9088ec1c4bea17 |
memory/2276-75-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1736-78-0x0000000000A80000-0x0000000000BEF000-memory.dmp
memory/2276-87-0x0000000000990000-0x0000000000C93000-memory.dmp
memory/2276-94-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2276-99-0x0000000000320000-0x0000000000334000-memory.dmp
memory/1232-100-0x0000000008EF0000-0x0000000008FC1000-memory.dmp
memory/1224-109-0x000000004A500000-0x000000004A54C000-memory.dmp
memory/1224-110-0x000000004A500000-0x000000004A54C000-memory.dmp
memory/1224-111-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1224-112-0x00000000020D0000-0x00000000023D3000-memory.dmp
memory/1224-113-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1224-117-0x00000000005B0000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | c2e1cdada9ca0dcdf07ba28e7e296dc3 |
| SHA1 | f16ad331ff1de20b0af8f745aa0b3e47f757d989 |
| SHA256 | 6f0ba0ff447a24b49127327c22309165e900f6e0932d86e8312bbf0fcacef1ed |
| SHA512 | b6bb3af31ebb1542bfd9e45a0a292180c543f865d90b22c3c383cdc3b9ebd7c6c1560e4292cf47608ed7f930bd05f5731855ca34853a4902bdfaba03fd130782 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\prefs-1.js
| MD5 | d3545a74016f42fff6de534a6daac5c7 |
| SHA1 | a97acc2d4b3da26a3d28c1aa9f8e3437c61428b3 |
| SHA256 | 67d8dc8bd40f173240c8145cd0730e5a0580197018ed667d0ec88f349a2bff22 |
| SHA512 | c3eafd1d432de4173847b10d4c6021b2ae7f55ab33b6ac2a86c16e74e342c55353572c64baf21a80a1c0f16eab11d8db336faaa0bf337d7f06f51fe3b99c7cda |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
memory/1224-167-0x00000000005B0000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1weu80pa.default-release\cache2\entries\A72798DEF4F924983D5A0DB82D383C613B515FF2
| MD5 | 244752433a5622b4caac5f91799e482f |
| SHA1 | fa7bf564b44b71fbd70f39924b9077316e8d9b44 |
| SHA256 | 88d63cd7b627bec46981d3d8912a0cdc8ff423e373f52907c17b978c9b73fcb1 |
| SHA512 | 93f943835362170a22f78a593b69b59ed20c08aec96de7545f9465520a949de0c6234b08cfc36e1ce324ad1116c46c87462e315d51d9612409caaf9885db5f31 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\prefs-1.js
| MD5 | ea9033a871949d9c8942b223724d25b1 |
| SHA1 | 8ebf05f8e47b7b5f0588c79572e4cff62da29cf9 |
| SHA256 | eb97aca51d8c467d66e9eb6afa285c51e192698d62f4a0b00f9aa5fcfa695f98 |
| SHA512 | cb00f71285e7cbd0c459e1b6a0259e969ef7e718e3cd375dcfbc9dbece1b4783171689058ae68792cd6f58267ad7c3a36eb5a80ea6d0ab2c917e0850eb22ac2d |
memory/1232-354-0x00000000077E0000-0x000000000788F000-memory.dmp
memory/1232-360-0x00000000077E0000-0x000000000788F000-memory.dmp
memory/1232-2009-0x00000000077E0000-0x000000000788F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1weu80pa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | fa9864c81756670205c84a5220fcdc61 |
| SHA1 | 1b92afc48acf4e5ca1394063d18a11aea67d1d47 |
| SHA256 | ec037bc26201e6412ef1d1d02f4f460d49bc8f2336318d82a3c60de8f9c3e25e |
| SHA512 | cbbab8adb027e38dc7cb42f1d2c177c21109bf032b56d4cc86bc6369db212b3ef217c719372c40ec300ad3e40f6b509f8b3e76871c34e0aa8eabdc16a3e4c564 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 15:30
Reported
2024-04-02 15:32
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
156s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe
"C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.0.1752752567\291694843" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {725c76c9-dd12-4ed1-9650-cf26f487926c} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 1976 219f3a05f58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.1.477317733\823419807" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c331f82d-a0ae-463b-a3e0-c2e31cb9faa7} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 2376 219f26fcc58 socket
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.2.400485127\2067507420" -childID 1 -isForBrowser -prefsHandle 3348 -prefMapHandle 3344 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd6231af-d15c-415b-b402-051f221eba09} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 3356 219f296a358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.3.1629347841\912802169" -childID 2 -isForBrowser -prefsHandle 3224 -prefMapHandle 3020 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1797c465-dc5b-4f66-b3b1-0431375b51a4} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 3708 219f5411958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.4.14321588\710378841" -childID 3 -isForBrowser -prefsHandle 3020 -prefMapHandle 4360 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ebad744-4a51-4caa-9832-908000a92a2e} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 4388 219f8765558 tab
C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.5.1710711545\1709942947" -childID 4 -isForBrowser -prefsHandle 5108 -prefMapHandle 5104 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e1eabe0-fab9-43d7-bc60-483a918f9890} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 4984 219f8b33158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.6.284460748\1881223573" -childID 5 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b7e94e9-3cc4-422e-8027-efef5c24b469} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 5232 219f8b33a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.7.2028663452\768060704" -childID 6 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {171edad9-30dd-482f-adbd-769f3abeee05} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 5424 219f8b34f58 tab
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 44.239.148.246:443 | shavar.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 246.148.239.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:55257 | tcp | |
| N/A | 127.0.0.1:55263 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.dentalemergencybakersfield.com | udp |
| US | 66.235.200.22:80 | www.dentalemergencybakersfield.com | tcp |
| US | 8.8.8.8:53 | 22.200.235.66.in-addr.arpa | udp |
Files
memory/2692-0-0x00000000005F0000-0x000000000075F000-memory.dmp
memory/2692-11-0x0000000003970000-0x0000000003974000-memory.dmp
memory/396-18-0x0000000000620000-0x000000000064F000-memory.dmp
memory/2692-24-0x00000000005F0000-0x000000000075F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7nvvjyxe.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 5a6e94467a42b8c2785351d812adc8bc |
| SHA1 | d805d96194b8f4f418d339613eec4b9202a1f457 |
| SHA256 | d3582870ba401b2537057c917d5b6e3096ac7f9f8b4d9245417758cb391c568c |
| SHA512 | 8c9deec35be9d70ff07a48883d469cd643d368b3a73b5e6a826115efb416e661d57d4a58208c415380f49d5b2d90127bfb4e9268e7aa52c1948992988f98bb0e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7nvvjyxe.default-release\datareporting\glean\pending_pings\d1b8eab2-c196-4e2a-8d42-5912864fe2ec
| MD5 | 36f1a36a7431f1198190738f84d8d2e9 |
| SHA1 | 47d38dc8e149e09b3f9c9e7853944b64cc2d6af1 |
| SHA256 | dff67d748ce923f32b9a7989e1a7ebc6fe6531389c8a2130c8d429d2bb100031 |
| SHA512 | eba23d982cabc52dcf0b467690555b3133b03cc59519cc10104f9008eb160d4603bf0d86bba70b9578491832ac7266f7f26eaa1a4dc1a23d9c830198839b7b76 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7nvvjyxe.default-release\datareporting\glean\pending_pings\a42cd239-a14c-4c8a-a2c2-b3a96e189d7f
| MD5 | deb4d24dcbc3d8dd09d3d9a348449460 |
| SHA1 | d549ede7ab0ef7f8575a630a17f1f586512c21b9 |
| SHA256 | 7d31f03177f206866cde023b5a6c371f472828e46ad854a48227e675e51603f1 |
| SHA512 | 66c43aa95370352db0fe3e03d7a876e46ea850c982187d658685fbac00d60ffb672abaf34928b3a346ad2664e7da6b876070b3c2e6a00b936ca036b7f1d989c1 |
memory/396-86-0x0000000001200000-0x000000000154A000-memory.dmp
memory/396-87-0x0000000000620000-0x000000000064F000-memory.dmp
memory/396-88-0x0000000000970000-0x0000000000984000-memory.dmp
memory/3532-89-0x000000000C8C0000-0x000000000C981000-memory.dmp
memory/1920-98-0x0000000000B80000-0x0000000000B8C000-memory.dmp
memory/1920-99-0x0000000000B80000-0x0000000000B8C000-memory.dmp
memory/1920-100-0x0000000001010000-0x000000000103F000-memory.dmp
memory/1920-101-0x0000000002EA0000-0x00000000031EA000-memory.dmp
memory/1920-102-0x0000000001010000-0x000000000103F000-memory.dmp
memory/1920-103-0x0000000002D90000-0x0000000002E23000-memory.dmp
memory/3532-106-0x000000000B3F0000-0x000000000B537000-memory.dmp
memory/3532-107-0x000000000B3F0000-0x000000000B537000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7nvvjyxe.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 09457632160d5749ec888511f6f2b6b6 |
| SHA1 | b06cef4d99c146374ed2ad39741ba819b35ec165 |
| SHA256 | 6fba0fda16a9dbdbda2c0812c189bdcc50a62db047a3cdf020b4e5a5a9cc7054 |
| SHA512 | 3587dd5a288a6fe5d3d65cf8c374eba45ed2df0d0d6a7214f2111ba7a9e8e14a3f8da62ea0f2586d1856ffb7b166d9030da5f556ebcb34cfdcbf3d95ccbfa934 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7nvvjyxe.default-release\prefs-1.js
| MD5 | 8d690a015863c72b0902ec6767476afc |
| SHA1 | 0b7895c7b1e359a42ccd0856a9a924ca1694459a |
| SHA256 | 9b37add15034f182ec02e4cd4c7acd7f2745d6f2ae9212021b6bf766557e99d9 |
| SHA512 | c6ce19be207516d75baef12fcd3dcf5396d40cc78136cc4d811ee1fcdf77c52b4f3dfc316a11a575df7360a78d16d01bcaddf0c2b3fb7ef080430131714e9726 |
memory/1920-124-0x0000000002D90000-0x0000000002E23000-memory.dmp
memory/3532-125-0x000000000B3F0000-0x000000000B537000-memory.dmp