Analysis Overview
SHA256
b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa
Threat Level: Known bad
The file b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa was found to be: Known bad.
Malicious Activity Summary
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Checks BIOS information in registry
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-10 04:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 04:27
Reported
2024-07-10 04:30
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe
"C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe"
C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd47c087-4ef6-47c0-a380-f82a75d0700e} 316 "\\.\pipe\gecko-crash-server-pipe.316" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2480 -parentBuildID 20240401114208 -prefsHandle 2472 -prefMapHandle 2468 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c7fd9e9-8c74-4201-81f3-038ec97a84cf} 316 "\\.\pipe\gecko-crash-server-pipe.316" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3056 -childID 1 -isForBrowser -prefsHandle 1568 -prefMapHandle 1468 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6355c80f-6b34-4657-b459-035cd5ccec44} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4140 -childID 2 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac49e12-eaaa-4e94-b69e-c0b85f87d0f1} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4824 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4780 -prefsLen 31278 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ff702d8-4717-4b35-ba9a-2bfc1060280a} 316 "\\.\pipe\gecko-crash-server-pipe.316" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 4788 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96f1a325-4ac9-4e9d-9713-fe17fd9a38d9} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4768 -childID 4 -isForBrowser -prefsHandle 5268 -prefMapHandle 5264 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2615b79d-e32c-4360-b84f-6d377d5739e2} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 5 -isForBrowser -prefsHandle 4796 -prefMapHandle 5300 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea5af53d-542d-4465-adc0-148c434ec889} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe"
C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe
"C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe"
C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe
"C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| RU | 77.91.77.82:80 | 77.91.77.82 | tcp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 8.8.8.8:53 | 82.77.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.77.91.77.in-addr.arpa | udp |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| US | 8.8.8.8:53 | 30.47.28.85.in-addr.arpa | udp |
| N/A | 127.0.0.1:61603 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| GB | 216.58.201.110:443 | www.youtube.com | tcp |
| GB | 216.58.201.110:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| GB | 216.58.201.110:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 44.238.192.228:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| GB | 216.58.201.110:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| GB | 216.58.201.110:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 228.192.238.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| N/A | 127.0.0.1:61614 | tcp | |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| GB | 88.221.134.209:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 88.221.134.209:80 | a19.dscg10.akamai.net | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 142.250.200.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.200.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-aigzrnsr.gvt1.com | udp |
| GB | 74.125.175.38:443 | r1---sn-aigzrnsr.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-aigzrnsr.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-aigzrnsr.gvt1.com | udp |
| GB | 74.125.175.38:443 | r1.sn-aigzrnsr.gvt1.com | tcp |
| US | 8.8.8.8:53 | 209.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.175.125.74.in-addr.arpa | udp |
| GB | 74.125.175.38:443 | r1.sn-aigzrnsr.gvt1.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 46.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 216.58.201.110:443 | consent.youtube.com | udp |
| GB | 216.58.201.110:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
memory/3368-0-0x0000000000B60000-0x0000000001024000-memory.dmp
memory/3368-1-0x00000000776D4000-0x00000000776D6000-memory.dmp
memory/3368-2-0x0000000000B61000-0x0000000000B8F000-memory.dmp
memory/3368-3-0x0000000000B60000-0x0000000001024000-memory.dmp
memory/3368-4-0x0000000000B60000-0x0000000001024000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
| MD5 | 2dff402b11d60b8d635038afcb1edd60 |
| SHA1 | c62452c7fec9c0d9e2fc85a1682cf451698a8e2a |
| SHA256 | b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa |
| SHA512 | 0cfc5fe4924dbd0b86999f6da23bbe5edfb8f4d404b6c33bed029c86a7faf21fbd043b8a497508245cf99ad1e49f555bee573b21ab40a4948d44ad959f437690 |
memory/2264-16-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/3368-18-0x0000000000B60000-0x0000000001024000-memory.dmp
memory/2264-19-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-20-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-21-0x0000000000710000-0x0000000000BD4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe
| MD5 | 77e2f975608c88144f09c2183217adff |
| SHA1 | d54426b5072ad1b974492836fc2ddee0bc6f2747 |
| SHA256 | dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9 |
| SHA512 | ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64 |
memory/2820-37-0x00000000002A0000-0x0000000000E84000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe
| MD5 | bea6ed281b600eae06be252f581721c1 |
| SHA1 | 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d |
| SHA256 | d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf |
| SHA512 | 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42 |
memory/2820-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2264-84-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/4100-85-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/4100-107-0x0000000000710000-0x0000000000BD4000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 3a7070b2ce5c9d7950433d3364045f7c |
| SHA1 | ce85f9be997145f14586b473b5a31635f908d492 |
| SHA256 | b733c2d765762b3e6b9c27ae8988f99607a5429ae313e04a65dee20678782542 |
| SHA512 | 789e48e31ca32b67c42c16b27ac9645893527a04618fb80c0c3ef08eee07de6a7065cdc91edcf6f0fcec8dbded0da153aeb92737234b0b89df401ee762374b85 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\d31ab7bd-43a1-448e-bdfc-f9016c4abf86
| MD5 | 46fb08e78351d5dcbd73df3c8142855c |
| SHA1 | 9cd3fcb1d20adfa98d9f0b5db16e17f7f9a131a1 |
| SHA256 | af2c4d454ab173df8fb1b57ec869f22b23279856cff82ebf3775afcc99a8fb3c |
| SHA512 | 8f91eba913cadf59d646676b2bb64978d535ee093748359fe517de795c5985ba7b603bca8ca3635c3fdd69aad5bf3633ff4c5cb09ebd80b904dbc8732aaa19e9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\933adcf8-c7d7-4507-9db1-ad80bf2d020d
| MD5 | e4ea6cf299b2c9454e589af84fad3ed2 |
| SHA1 | 481687a27642959cffd642c020998926edc9c4c0 |
| SHA256 | f1653f30a4a7d523c1b7104f2985803241b1d6173750a0c28660d2535c8422be |
| SHA512 | 43f526d518e0c01ca05e9fad883dff5af35f6fe3c1b84f4a21f5a94aeeb49613c7b5588c10b52457655e011066c463a426d99933cca35bb9cd3ab5b6226ae715 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | eec23717952b64ba6638f708f07948a2 |
| SHA1 | 9e615224b93e8278e36db1afc6c3a1b00ee6b85b |
| SHA256 | 16a9a7c73e55bc673d3faa12879849d6ef020a43bbe661f9302b4a68267ba918 |
| SHA512 | 933b247272bc76a75cd51b046d78bb8aa2d00a4e89af693531ee9248d63d35dc74e97f6f42c4e33a4c5c50cdfca635365d238ce53202abc448a7602dc5faf2a4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\fb316db3-a536-4348-b954-9522a7fb964c
| MD5 | 034fa6dc88bd0c70a59fe0adf2307374 |
| SHA1 | a81bcc33543f7ca741ab9dd6765584f2f3c6a9f0 |
| SHA256 | 951f9f0c528bf297ec73faefec554065605da9ae82cbf2f86f7943e28b4072a6 |
| SHA512 | 887effe4a32dbbe9d6614393746cd09a705d6af12540da20a34fc5f77f8fab2c835831444a623e0054c0c2c8be0aa7325ec3b73dd6ed9e6a438c4bb9c6f5a80c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | b039bf85fc0dae9052f3e8cfb391e856 |
| SHA1 | cc7d4153bb6176f91be9372aaa5d05734859c1bd |
| SHA256 | d165d63eb58b15c10820dc95a32d81880ae34586ecf917f22d32a116a72ea879 |
| SHA512 | 597a5ae69fe7ec1246f4b3244ae214a04cbdaa40d18a1bb85c02387740e0cf81122aeb97c133c61f302b4ad61439afc80aac4db6eedc3e6d5a4a0681f96f2e50 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 042fbc5faa9d185de5091ae62c5f2912 |
| SHA1 | 8d44d3d6fb20a6b09268ebfdd8b4ce011d2c117e |
| SHA256 | b2fc210df714f56541e8ebb7d68b093825bee31ef63f32b1b0c4c36eba37b6ea |
| SHA512 | 27be9c166115eb907511bd67460ced6d3b73e393f1eebd43e17e523d24a871af87d3b997ae632f986ec99c648d691c892bd9b2c53642ce212beac59668b65f51 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\cookies.sqlite-wal
| MD5 | 1998ea2238b846dc00da20b370cc8dbc |
| SHA1 | 9221396a66f963241d29fe65930ea4df8c4b6905 |
| SHA256 | 9ab8bb11df703b8210b58a4169b0e2001d7e2f5b28175d7f326f23ace565c053 |
| SHA512 | 30e48c3f857dc7d7b5abb1641f83be208e6e5aaa21b638a81563caa4d925e2a9f438eae9c3d024725326136801a700b4780105f2f71bb2265cd1ab57f7f02c5a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs.js
| MD5 | 0422074ec07e41f701f620fb8082031b |
| SHA1 | 1b549cac3905ce2866ade82f9d50c7395825699b |
| SHA256 | 1b79805db031de3b30447c3060223e790cf969cd759e3693cb1d1b92581b4dc3 |
| SHA512 | 8a41e42217a73f2accd294d8562fb2c57500211482d369e900bfc90f76fc86ae760c5a6245a1c551e5d94572f2313281f038821a6881b3c82498db7ca9b7d52a |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\AlternateServices.bin
| MD5 | 764fa98164c24da50f6c8d7b51030adb |
| SHA1 | e680d41c5f5cb00f530ab239920179a1d13ca436 |
| SHA256 | eb31eee4ae42a85607d58ef4a7b8a10401854d1c1c7da4416b242d94939c1a18 |
| SHA512 | bfe6fe998d35c301b277826a4beb01e71c6a2ed85edcc8013df509cb6f604c5fd2647014b3dd48208da2e52cab48c3879ebe0ce6aaa482bf36e98a19d790b293 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\places.sqlite-wal
| MD5 | 508ebce803db464fe5459ae99a3d9de1 |
| SHA1 | 724c4b550cbacc761552ab3d146b79f6715f43c5 |
| SHA256 | 21a16cc399dfaab8b1c46958ca6e9489980d1daaf9ac7073ffcdea83befac3d2 |
| SHA512 | 9afabfbdd65e419cdd99c34eb9c26e119341e876d3b1c4696b40825367ef595fdd89e6abe1e8f306d6d657747602ad66751420f35337345e3cb935d6475b6dd9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs-1.js
| MD5 | bfb823409a973511d073e9f4fa9c8a71 |
| SHA1 | c86de5741d4c02dc420489e4e66c2c21ca809d8e |
| SHA256 | cc2a942345c3b7484cc6805accce291bc14b0ffec335d1e6af1edcacfb3d9af0 |
| SHA512 | 0803a27df7048a559faa82ccea5fe7d8fed9fdec390c7fc7462ecc4ede878e67921ff23c53d057087d497ea143ede36d76778e224eb47b833dd46f0837623084 |
memory/2820-478-0x00000000002A0000-0x0000000000E84000-memory.dmp
memory/2264-488-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-489-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/1548-490-0x00000000006D0000-0x0000000000B94000-memory.dmp
memory/2820-487-0x00000000002A0000-0x0000000000E84000-memory.dmp
memory/4876-494-0x00000000005A0000-0x0000000000A64000-memory.dmp
memory/1548-502-0x00000000006D0000-0x0000000000B94000-memory.dmp
memory/4876-503-0x00000000005A0000-0x0000000000A64000-memory.dmp
memory/2264-512-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-513-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-518-0x0000000000710000-0x0000000000BD4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | bdbbf322686e049a5c9128bb2401493e |
| SHA1 | aab9f6cdfcd73597840e22f9fe49da4d621aa059 |
| SHA256 | cfeff1fbfae5cb9daf9898cd622948a057e14225f4985469f502f13e17b50b13 |
| SHA512 | 3a5bbcee8d3620b8163a8fbce2d7a9f278f08b0cee81f3a5a5688178fd6aeffcefb0fd5776c730682cbc873fa4f97e13fe0a978c9fe9b7abcac2f0fc778c9f96 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
| MD5 | 8db159c343089b17945d9697e86c247e |
| SHA1 | f56d53502c8867c977a001d47f516b7dc4797cf6 |
| SHA256 | 344bcdbc23d22fa8634c97e57e8bea35c40b9c04005af5e2891aa6a5efe74dee |
| SHA512 | eefaea60d7f8199e402d208f4c720c1c9c76d9cda92e8066f803be2fa42ebcb506bcdd323a9e90c5721a71503cabf473127c48b540dda3beb6d49de6dc7917c3 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs-1.js
| MD5 | cb92ce3bba640f0496591a4db622879c |
| SHA1 | 26502b6c24f19ede1bd246d188a9ad04c2866e54 |
| SHA256 | 65919e8f69e8067a036896c73296a187992bcc8f95f99e04b7d4a650d1185e40 |
| SHA512 | d063dcc2d83e1e560151f93c921b84e2723be6c82092a1a03b4ebff268968f6b71b1bd4cd8a92a36ffea9cf838e0d054232118c73cb94b81c53b2323c7c2a6a4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 7c46c4a680c06167335ac31175cdab58 |
| SHA1 | 44964c66e7ce87ab5b70f6f63ba1ed267fc810b2 |
| SHA256 | 9e0db454b360040332a0dc9cc2259db33f039af1d7da54e62e114ac52d3fbdf9 |
| SHA512 | daf7bb84b80c457998cba2f65b7b390a7e12a2e4359cae99ceaad1f4e06582c46c37c55a208b80fd9bf4f3cc186f28448cce86609f5bd9e93658fb59ee3e94cb |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
memory/2264-1029-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-2125-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/4900-2634-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-2633-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/4900-2636-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-2640-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-2641-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-2642-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-2643-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-2644-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-2646-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2900-2647-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2900-2649-0x0000000000710000-0x0000000000BD4000-memory.dmp
memory/2264-2655-0x0000000000710000-0x0000000000BD4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 04:27
Reported
2024-07-10 04:30
Platform
win11-20240709-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe
"C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe"
C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae72c630-3939-4cc8-aa7b-b5e05e550aa6} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {859763fe-df75-472f-ad7b-a50efebd67a8} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2912 -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3080 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7fb001d-db46-45c7-8809-adaa124f72c8} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3964 -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 2792 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6966ead2-7a68-4137-b20d-5c7cf6025bfe} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" tab
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4708 -prefMapHandle 4704 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1f33b7b-00e5-4091-a369-747a82f45526} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 3 -isForBrowser -prefsHandle 5748 -prefMapHandle 5744 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2353c653-77d3-4891-a628-82f9f686c35c} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5888 -childID 4 -isForBrowser -prefsHandle 5808 -prefMapHandle 5812 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1711572c-b508-4a51-9618-4f44f160283b} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6016 -childID 5 -isForBrowser -prefsHandle 6092 -prefMapHandle 6088 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e471780-a800-4d94-a09a-e34f4b80a915} 1376 "\\.\pipe\gecko-crash-server-pipe.1376" tab
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBKKFBAEGD.exe"
C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe
"C:\Users\Admin\AppData\Local\Temp\HJECAAKKFH.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
Network
| Country | Destination | Domain | Proto |
| RU | 77.91.77.82:80 | 77.91.77.82 | tcp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 8.8.8.8:53 | 81.77.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.77.91.77.in-addr.arpa | udp |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| N/A | 127.0.0.1:49891 | tcp | |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| GB | 142.250.179.238:443 | youtube-ui.l.google.com | tcp |
| GB | 142.250.179.238:443 | youtube-ui.l.google.com | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| GB | 142.250.179.238:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 52.33.222.107:443 | shavar.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| GB | 216.58.201.110:443 | consent.youtube.com | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| GB | 216.58.201.110:443 | consent.youtube.com | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| N/A | 127.0.0.1:49901 | tcp | |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| GB | 88.221.134.209:80 | a19.dscg10.akamai.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| GB | 142.250.200.14:443 | redirector.gvt1.com | tcp |
| GB | 142.250.200.14:443 | redirector.gvt1.com | udp |
| GB | 74.125.175.38:443 | r1---sn-aigzrnsr.gvt1.com | tcp |
| GB | 74.125.175.38:443 | r1---sn-aigzrnsr.gvt1.com | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| GB | 142.250.200.46:443 | play.google.com | tcp |
| GB | 142.250.200.46:443 | play.google.com | udp |
| GB | 216.58.201.110:443 | consent.youtube.com | udp |
Files
memory/872-0-0x0000000000860000-0x0000000000D24000-memory.dmp
memory/872-1-0x00000000773A6000-0x00000000773A8000-memory.dmp
memory/872-2-0x0000000000861000-0x000000000088F000-memory.dmp
memory/872-3-0x0000000000860000-0x0000000000D24000-memory.dmp
memory/872-5-0x0000000000860000-0x0000000000D24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
| MD5 | 2dff402b11d60b8d635038afcb1edd60 |
| SHA1 | c62452c7fec9c0d9e2fc85a1682cf451698a8e2a |
| SHA256 | b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa |
| SHA512 | 0cfc5fe4924dbd0b86999f6da23bbe5edfb8f4d404b6c33bed029c86a7faf21fbd043b8a497508245cf99ad1e49f555bee573b21ab40a4948d44ad959f437690 |
memory/872-16-0x0000000000860000-0x0000000000D24000-memory.dmp
memory/4440-17-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/4440-18-0x0000000000031000-0x000000000005F000-memory.dmp
memory/4440-19-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/4440-20-0x0000000000030000-0x00000000004F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\41cd46020a.exe
| MD5 | 77e2f975608c88144f09c2183217adff |
| SHA1 | d54426b5072ad1b974492836fc2ddee0bc6f2747 |
| SHA256 | dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9 |
| SHA512 | ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64 |
memory/396-36-0x00000000000D0000-0x0000000000CB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000010001\2701b1cb7f.exe
| MD5 | bea6ed281b600eae06be252f581721c1 |
| SHA1 | 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d |
| SHA256 | d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf |
| SHA512 | 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42 |
memory/396-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/4440-98-0x0000000000030000-0x00000000004F4000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\facdcefd-4dff-451f-9f6c-4b1ef0c609c0
| MD5 | 26abd81359cd3b6f5a43a616766ad834 |
| SHA1 | 0b12fb7610a53b564542383947530f76a496d34f |
| SHA256 | 546836087a8449eb7568c460868cf688b38ec1e2ec58a3595ff60c84b08a14dd |
| SHA512 | c2dc0bac874fb87f9282202d856c201808c91207a5047c196cb85f0b0aa9ea1e9e0ad3c0f47a2368e47cfde8047832d24a36ea5d62ebcd1824dae914167dd08e |
memory/4932-354-0x0000000000030000-0x00000000004F4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 952b6c90353e3984de2227bade5a3d7b |
| SHA1 | e42b76901a07387da3e4fe4ae5cf2a54f7b46254 |
| SHA256 | ad88362a7740b910ce6bfd17ffa7d4154fc970f1c1eb0b512a81b844c7b39aaf |
| SHA512 | 2ce271315ef894032448017ed68c6c39e7f006f8c4e229c6ba4f152d2cb741ddd8817036ab1e742542196d3cf747dba8d782cd3f8c93622a912303073e112a8d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\ef89537d-6b81-4401-a45e-4a79ed8006a2
| MD5 | 4cfd460bbdae475f479c10382b22dbc9 |
| SHA1 | 6c04d0bd747263d25524e34343b02e1237f3e128 |
| SHA256 | 73a1483b1f294b1e52b2a2e48c9305b3e696fbd4755f98d0e139f9cb1a392033 |
| SHA512 | 5294adafcf7d995d845ae579c70d2c10ca513bc51b11c03dad579c82a5d1efafa0d23bffa0eca00fc97a219cf1873ea795f221aceab88ead19570b3e3fd10a31 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\6c48647b-b6d2-4472-a2ee-89a42c696b08
| MD5 | 808f4f03707362ba22f159f678dbab52 |
| SHA1 | 9d35b879833f1fc3587e15f7aae1dd96811ce2cd |
| SHA256 | f2d39989045c80f6c60a566857e1591f3c1a32877bebec389399c20f9bfc70d0 |
| SHA512 | 544eaa0dd37e0031e23251ae9ab2795d1c9d5bdc4c6b2a470218bb927bfbb8e88603893f4d0a1d7089d66423e49904c812531bdc7fca87e786538cdc19a1359f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 50819d9cc5aeafdc8f15e5e03c69a758 |
| SHA1 | 82399780e52beb58fad28f920208b9809236cd5c |
| SHA256 | 3002338abc91439aaa58b808ac33ce9b100bbb00445dab4f0401a2c0c4ba1017 |
| SHA512 | 5110b2964a1de83862b4db815e484c38f8c1f268f97cda12e79c24eb24e7cb6abec904e4bf2264fe13514835927ed9a8bcb465073a448637b77bf952fdaa258d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\AlternateServices.bin
| MD5 | 8ca8b4e8fe7058f7f769177b110d3c29 |
| SHA1 | d107eaa9b9dd5edef2faadf6e94df19fa63fbd7c |
| SHA256 | fdb6024bbbffffecb8b9ace6f3a303e8142ae4dcfd1e11b9dc9dd1b65b7b6338 |
| SHA512 | 61916b9fe5a1d4ffa69bf95a1e5bf23bba9b4976f72118815fb2ad0aeff774692cb5e3ab073e2c80c77d002d69d65b734042e815dbc766f826daa9031b4a95c0 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | f19eb90215f9d86a6c333a6c02e55a9f |
| SHA1 | 8919682bcc04fe377ef3fbe5e7ada24c6297dfda |
| SHA256 | bdb96dddc3f123f39123548cdefd7c1d89bba30c093f005946cc743d5dde5dc5 |
| SHA512 | 1cdd5e018723086c95e576b23189411fab1e8aa2b4cd96d3b3fa6c04cd239e0eaf554141c61806cfee3fc4a85c96b6275d47c6cb1d9cb9502f944ee841e412f1 |
C:\ProgramData\KEGCBKKJDHJJJKECGIII
| MD5 | d73d1f4cc04c9357011b36083d11f667 |
| SHA1 | 573251c39d5f355b1cc748d073eec883108b054b |
| SHA256 | a21f86ab14bd6cf870e4200ea3a21089942e213096191154a37f958800cf6a1c |
| SHA512 | 7043e96c041e81101f0fa90545ef450891f6666923a599ee75704b54651b8f1adce3645f9023ba121f798c9e4f5b2b719a63eb849dec65b8cecea7d7af8c29fb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\AlternateServices.bin
| MD5 | b98c6f5fbec4796c079b63b8460d8c72 |
| SHA1 | a05ec9c3f57d694e82f3b4b3c1cea525ed462651 |
| SHA256 | a96ea86dfeacb59e5e7d2950f689dfa344873e4b60bfe05a35f3854d6a52af63 |
| SHA512 | d46196a0c8e5039ceef068c31b8f0c64184e0848f1fb524518d6b8421c3d865d06c2f4f407863248d8201a02dfbdbc1c9d10e9d648a49f1a473985e08a824a9e |
memory/4932-460-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/396-472-0x00000000000D0000-0x0000000000CB4000-memory.dmp
memory/4440-476-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/1936-477-0x0000000000680000-0x0000000000B44000-memory.dmp
memory/1936-478-0x0000000000680000-0x0000000000B44000-memory.dmp
memory/4440-486-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/4440-487-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/4440-498-0x0000000000030000-0x00000000004F4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | b733626ba37d19291875f3e0bd185242 |
| SHA1 | 1722dcc0ea5a623d10d4808cf99e8096150172fa |
| SHA256 | 6248eebae2b14a848aca193a4a3bfb54c82aa8b66b95c2c207306bd40b47f370 |
| SHA512 | 18caa8a3a96130168516d69c3f5d8ddc4fbae5a330b71a88aed5951df0c7cf5c48df01f07644c1c40e650ece0bfbf399796b494aed2903d7d7acb5d9da25f434 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
| MD5 | ec81afe7347f164b5234fa6ff6ae6e47 |
| SHA1 | 395e99fee9e60a6a8e5a6bd337e1f1b3736d50b4 |
| SHA256 | e5902279652181784ca8efb720700ac5d55b099f37d703f9958fba56a0efe88b |
| SHA512 | 3e77780e65f4cdbf6b1d0d22c78eb16737adca6793d94a9bbd2b2744e99c117029d9f80d13fc173585600fff7ab985f1b17dbd718a55898c8db1a9c7fed08af0 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\prefs-1.js
| MD5 | e160cba20eb636578d0a4ca42dda42aa |
| SHA1 | f79489e626249d72a3a0d3baa790c3b9e11ca8ae |
| SHA256 | 89f2420f018757dda8753652c45d1c34bc9b71960189757016993cfa0abed5a9 |
| SHA512 | 52a39a679c0cb7eb04b2148216586d57367296bee1f910c6f7aabc6f14d3138a088d3f4a3a31b2468624c4aa1e0581867de152712056b6ea4e502dbb7d2ec200 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 0997eaa16d420961296f500d24cde4e7 |
| SHA1 | 5a39d3048a113fd783f0050e186bd08eda39c6a3 |
| SHA256 | c165cf513756ba5748781995a61db2d4381bda208c440b6e423df306fbfbc3d3 |
| SHA512 | c25a05e168b1d0ddb0de2f3093f4eea91ac48523991d7de01839653cb32f938e4ac55bddafac8959f4d1ff813dcdb2987c4b8008d6237cbdc6f96b9c24dbd80d |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | cde09cb187f4fd326dd61dbb27a1b4c4 |
| SHA1 | 02efae82841ed94d7fbf25427089ff71a1b2bc62 |
| SHA256 | 398c0485da9a4a7fb242cbbc6bbbcf1d0276a0a856341edacd5616d9a454f769 |
| SHA512 | 764574d12315877a6b0475cac821e3a9a8dcc10243a48f233584ed23909d53822184b61c6b4ce8683eaf9c50663b5c219f2508571a4c0b1d84bad8320ad4128f |
memory/4440-777-0x0000000000030000-0x00000000004F4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\prefs-1.js
| MD5 | 8f42f74c69378e19c603b464cb23331f |
| SHA1 | 36914eb96b91ddbeac8cb43b05c1aafd140f1531 |
| SHA256 | 936b71a2fcbb64e9cbcfacdcedb20b2d4302d367990894f0cfffea85d730ee3c |
| SHA512 | 608b3977cb6f778ed9e3f6cba7a12a00e5eced670d1f8af34c034c7fcb1b70a5cc467a54fa51d20f4407af85367dade82ef5f1184d9b5f75410bedc10cbc5d33 |
memory/4440-1952-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/4440-2580-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/4440-2586-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/5064-2588-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/5064-2589-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/4440-2591-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/4440-2592-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/4440-2593-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/4440-2594-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/4440-2595-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/4440-2596-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/6036-2598-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/6036-2600-0x0000000000030000-0x00000000004F4000-memory.dmp
memory/4440-2606-0x0000000000030000-0x00000000004F4000-memory.dmp