Malware Analysis Report

2024-10-18 23:42

Sample ID 240814-hxcmxsygla
Target 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6
SHA256 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6

Threat Level: Known bad

The file 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 07:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 07:06

Reported

2024-08-14 07:07

Platform

win10v2004-20240802-en

Max time kernel

31s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f4dfe0e4ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\f4dfe0e4ba.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4908 set thread context of 740 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 set thread context of 1484 N/A C:\Users\Admin\1000037002\4b5c16ae16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\4b5c16ae16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\4fb3bfd77b.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2064 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2064 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2000 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe
PID 2000 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe
PID 2000 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe
PID 4908 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2000 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\4b5c16ae16.exe
PID 2000 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\4b5c16ae16.exe
PID 2000 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\4b5c16ae16.exe
PID 1620 wrote to memory of 1484 N/A C:\Users\Admin\1000037002\4b5c16ae16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1484 N/A C:\Users\Admin\1000037002\4b5c16ae16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1484 N/A C:\Users\Admin\1000037002\4b5c16ae16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1484 N/A C:\Users\Admin\1000037002\4b5c16ae16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1484 N/A C:\Users\Admin\1000037002\4b5c16ae16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1484 N/A C:\Users\Admin\1000037002\4b5c16ae16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1484 N/A C:\Users\Admin\1000037002\4b5c16ae16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1484 N/A C:\Users\Admin\1000037002\4b5c16ae16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1620 wrote to memory of 1484 N/A C:\Users\Admin\1000037002\4b5c16ae16.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2000 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4fb3bfd77b.exe
PID 2000 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4fb3bfd77b.exe
PID 2000 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4fb3bfd77b.exe
PID 740 wrote to memory of 4332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 740 wrote to memory of 4332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4332 wrote to memory of 4308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe

"C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\4b5c16ae16.exe

"C:\Users\Admin\1000037002\4b5c16ae16.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\4fb3bfd77b.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\4fb3bfd77b.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8159eb95-4658-4a32-8ad9-a6ecc7effa0b} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79cdc9bb-baa5-4b5b-9db6-94cfee1c3ad8} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3116 -childID 1 -isForBrowser -prefsHandle 3176 -prefMapHandle 3164 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90e3a80c-ded2-4918-b3fe-548e4e699037} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3888 -childID 2 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cf97e62-e790-41a4-a6f1-f7408e7ab5b4} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4732 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4740 -prefMapHandle 4736 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11b8bf9b-9ace-469c-b22d-38a0c6983252} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4236 -childID 3 -isForBrowser -prefsHandle 5304 -prefMapHandle 5300 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2e3da6f-232d-419d-9231-9c8e507ef5a2} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5216 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {837b173d-afcb-4c34-aea8-1e96d793b096} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e0b2ed8-fef8-4c0b-98ad-e0b56033ffb5} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6332 -childID 6 -isForBrowser -prefsHandle 6352 -prefMapHandle 6316 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {658923cb-6b5e-4d03-af10-e3af5969f84c} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:56902 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 139.54.240.44.in-addr.arpa udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 172.217.20.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 174.20.217.172.in-addr.arpa udp
FR 172.217.20.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
N/A 127.0.0.1:56910 tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp

Files

memory/2064-0-0x00000000009F0000-0x0000000000EBA000-memory.dmp

memory/2064-1-0x0000000077D24000-0x0000000077D26000-memory.dmp

memory/2064-2-0x00000000009F1000-0x0000000000A1F000-memory.dmp

memory/2064-3-0x00000000009F0000-0x0000000000EBA000-memory.dmp

memory/2064-4-0x00000000009F0000-0x0000000000EBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 6a8855023dca6226bcfd23ff4ba3a6c8
SHA1 aaed3742a5352026e782f0b57431773039b7afdd
SHA256 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6
SHA512 1b1b2f1d48ee17c73fc31523308e23f2198ffbcf0fa26680cfeb4d6bdc74aa3192afbc5c73889b24e3bd487f64cf83c49540fbfcb8c2cf195af563572ef5ad05

memory/2000-18-0x0000000000520000-0x00000000009EA000-memory.dmp

memory/2064-17-0x00000000009F0000-0x0000000000EBA000-memory.dmp

memory/2000-19-0x0000000000521000-0x000000000054F000-memory.dmp

memory/2000-20-0x0000000000520000-0x00000000009EA000-memory.dmp

memory/2000-22-0x0000000000520000-0x00000000009EA000-memory.dmp

memory/2000-21-0x0000000000520000-0x00000000009EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe

MD5 75a2d87eafbefb74dc8bab6fec16cac1
SHA1 c3decd95d7e19c4dbd1d7b9e409eeb4861c6f369
SHA256 0027e27dcdc31f32e1159f82034ce00169ec7e3b487999d95997c519e0e7d40a
SHA512 1b6c9ad97b74f639d26fd6d3af7c218f04ef08b77f6d6a67c05350c2965941472592fc6cc9c878644e686532295a20cc23d95ca5db4b62a86ec440000079c5f4

memory/4908-41-0x000000007393E000-0x000000007393F000-memory.dmp

memory/4908-42-0x0000000000230000-0x0000000000362000-memory.dmp

memory/740-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/740-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/740-48-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\4b5c16ae16.exe

MD5 510bbbc4aaa1435c2fbaae4a72ad2055
SHA1 8fcc653c1da4c9b641b0ee566565ae27127687ce
SHA256 cd390760087ffc9c698e75f33f6c2844e97131dbd00a894dfeee0f1b144f2222
SHA512 4701c53d69c6000cb9759f13b31074c8ae5dea21ca09ef40a2aec2bdcf72b52ede4b7327bda398a937094e2d4074a58c8ac9d4c079ddb31ffb46a000416e1a65

memory/1620-67-0x0000000000490000-0x00000000004CA000-memory.dmp

memory/1484-69-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1484-71-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\4fb3bfd77b.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4136-87-0x0000000000080000-0x00000000002C3000-memory.dmp

memory/4136-88-0x0000000000080000-0x00000000002C3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\e5a76c61-c750-41bd-a140-fddfed0e9e9b

MD5 a0dd8a39743a2f8cf56e638e5e1a3beb
SHA1 56f44061ff48eaddb6187cd70af7128b43fe25b8
SHA256 5d57731e721a42656e91e44e84a7cb8591209254acd7e9c0928ce085552b5369
SHA512 e53e74d168f5de096e6e4ec3a452a1ad4315c63c9dfd6b1f28520267da59a96da374697855cc52a42800706eaf66e0c2419e0bf6555e1fcd6319e0eb261bbc81

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\a1819732-e64e-476b-8082-18996dba3647

MD5 2edb9f23bbe2ff479a766c88bebbfe40
SHA1 9a49465508efae245ea46a65b1c6669a71a8c0bc
SHA256 596e2dc97be11cadde91c4348ed4c20dc2163e31b9a5bca2024c58db070d96d4
SHA512 70eeaf8851ce7f0358a3825ab5136d24bc912cb35b53b8e6c13d9d94d1d70fc869f7b5031b528e120ec0508d0ca43db211d18aa1d547eeadc252fd94953bbeec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\cc257946-ff83-4e24-a0ad-bf265b3f5f4e

MD5 ad2deb559a2bcea8baa151b85e8a183a
SHA1 b6fe698bfeee8e74ca939b532a30d1c67c635d16
SHA256 cda261167b43645962f7513f4c62032ebb528bb89f16ed0299ffd8aa266ef3fe
SHA512 9384b52e1e9e8e1712ef544aa133b2c3ddb07ad62f5b91e81c4cdf81441846f402f0805dc5ca7f10fee4576950b08a361a7cf160ded3199bb21e21783b75b6ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 ccae4068cfd53ab0ad377ef16e2e4700
SHA1 9b3eb40c8a6e28b58e5ff198ba4bee94b6a82f7a
SHA256 f8da76e19cd59fe4c041471187180684295a1426723225214d5e5384db99a564
SHA512 0e97dcfe863e615b55f09fe1034594d0c6aa83a47053109f9378977c3231838aada2950803a3298ebb9565c7417e022d3680ba45bb0de3e31655f1b8e1641738

memory/2000-340-0x0000000000520000-0x00000000009EA000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

MD5 94bcfad3d0b0311552212fc2cb10ed46
SHA1 66519aa7be937a7f65529d1566de0f4ba5559312
SHA256 b0d39e09dc9a045e0cba8d75645a610471fdf3b28ebcc3ad308d93b138f152b4
SHA512 8982f5d71c698b81e9b9347bb2f6154b4b8aec05fa5aea2b77fa835e664c5a5c727d0b59c99e6b5fa390a93f165441ea9f468de0c442058e46f4fa7045073109

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 2ddbcf412c26e10b3fc9c47b553080d3
SHA1 037bdafc2661a8201c7065d6e2fe23253e1f7beb
SHA256 3922a46b5844d02985bf1060e9e9bedce7a4ca0671f4d9ea660b66eb0760411f
SHA512 8b9e3c6cc5ef3063cecaba69af4b7212836b57279d0afa5a8ac8c917c2c4ac493b6728d1be5e0aad6bafb086194991c56f55e6c21b0409dca8dc9737c865a0e7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

MD5 c7563a75b5ce328869001f1fe060709d
SHA1 ef4ff3f508e8438646db59402711124c6cdf4e20
SHA256 63d028f77b7631fb54478a30d772e55f0dd7e6acd2389f9551d7ac9b4040eb1d
SHA512 4501de08eb0263593747f00ceb229eb36c93df88685d74f83f61cdb391c02fb95319ab58b41a6f985e0680eac41504fba8d4cf2b0bfa6f09a20ede05bf82c93b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

MD5 758d969a8d03925dad87b9b422fdcced
SHA1 4f3fdde94632c4a66721d92f23d4f00b63c5355a
SHA256 3fc6178f7021c6958e8df76d30dc497789dfda88c7db2b0e4c3cd624e42a5fc4
SHA512 f0e29c5234793064b8f69c7f1b3ce90da4982608c9a663ffd0d02fc86032a5456814a7b5deb9cd9e932e46d268578916272ddec37c9363c4c452409c09211a2d

memory/2000-432-0x0000000000520000-0x00000000009EA000-memory.dmp

memory/2000-433-0x0000000000520000-0x00000000009EA000-memory.dmp

memory/2000-442-0x0000000000520000-0x00000000009EA000-memory.dmp

memory/2000-443-0x0000000000520000-0x00000000009EA000-memory.dmp

memory/5656-445-0x0000000000520000-0x00000000009EA000-memory.dmp

memory/5656-446-0x0000000000520000-0x00000000009EA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 07:06

Reported

2024-08-14 07:09

Platform

win11-20240802-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\aa630bdd3c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\aa630bdd3c.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2756 set thread context of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 set thread context of 3272 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\3990518d4e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\f7df2e71e0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1420 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1420 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 780 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe
PID 780 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe
PID 780 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe
PID 2756 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2756 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2756 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2756 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2756 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2756 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2756 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2756 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2756 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2756 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 780 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3990518d4e.exe
PID 780 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3990518d4e.exe
PID 780 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\3990518d4e.exe
PID 3636 wrote to memory of 1340 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 1340 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 1340 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 904 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 904 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 904 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 3272 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 3272 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 3272 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 3272 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 3272 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 3272 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 3272 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 3272 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3636 wrote to memory of 3272 N/A C:\Users\Admin\1000037002\3990518d4e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 780 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f7df2e71e0.exe
PID 780 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f7df2e71e0.exe
PID 780 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\f7df2e71e0.exe
PID 3612 wrote to memory of 2580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3612 wrote to memory of 2580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2580 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2580 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2580 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2580 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2580 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2580 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2580 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2580 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2580 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2580 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2580 wrote to memory of 2268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2268 wrote to memory of 4588 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe

"C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\3990518d4e.exe

"C:\Users\Admin\1000037002\3990518d4e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\f7df2e71e0.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\f7df2e71e0.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1872 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b118abe-3b39-4ee9-bbda-4c9ae058f35d} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {257bfdfd-e136-40e2-a158-2106d30a671f} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1524 -childID 1 -isForBrowser -prefsHandle 2804 -prefMapHandle 3040 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {834d8a2f-17b8-4fdc-9972-bb9584f858e3} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3496 -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 3956 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7674a4fa-f35d-42ea-a854-409247fb30e3} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4696 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4684 -prefMapHandle 4532 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8ea7d5f-4163-4e3e-9239-baae0c26ba56} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 3 -isForBrowser -prefsHandle 5576 -prefMapHandle 5508 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14869bc3-d2af-4f4c-b693-a6f251bba938} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 4 -isForBrowser -prefsHandle 5644 -prefMapHandle 5576 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3868653-7684-4abc-8f62-6146c1fee0f6} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5852 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f8c6faa-4174-4c61-8e5e-a382b0d6598b} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6292 -childID 6 -isForBrowser -prefsHandle 6260 -prefMapHandle 6284 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {844bf7d7-ed28-4464-801d-967d37ccf8a7} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.58.20.217.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49928 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
FR 172.217.20.174:443 www3.l.google.com tcp
FR 172.217.20.174:443 www3.l.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
FR 172.217.20.196:443 www.google.com tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
FR 172.217.20.196:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:49936 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
FR 172.217.20.174:443 www3.l.google.com tcp
FR 172.217.20.174:443 www3.l.google.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 20.189.173.2:443 tcp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/1420-0-0x0000000000190000-0x000000000065A000-memory.dmp

memory/1420-1-0x0000000077476000-0x0000000077478000-memory.dmp

memory/1420-2-0x0000000000191000-0x00000000001BF000-memory.dmp

memory/1420-3-0x0000000000190000-0x000000000065A000-memory.dmp

memory/1420-5-0x0000000000190000-0x000000000065A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 6a8855023dca6226bcfd23ff4ba3a6c8
SHA1 aaed3742a5352026e782f0b57431773039b7afdd
SHA256 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6
SHA512 1b1b2f1d48ee17c73fc31523308e23f2198ffbcf0fa26680cfeb4d6bdc74aa3192afbc5c73889b24e3bd487f64cf83c49540fbfcb8c2cf195af563572ef5ad05

memory/780-18-0x0000000000440000-0x000000000090A000-memory.dmp

memory/1420-16-0x0000000000190000-0x000000000065A000-memory.dmp

memory/780-19-0x0000000000441000-0x000000000046F000-memory.dmp

memory/780-20-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-21-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-22-0x0000000000440000-0x000000000090A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe

MD5 75a2d87eafbefb74dc8bab6fec16cac1
SHA1 c3decd95d7e19c4dbd1d7b9e409eeb4861c6f369
SHA256 0027e27dcdc31f32e1159f82034ce00169ec7e3b487999d95997c519e0e7d40a
SHA512 1b6c9ad97b74f639d26fd6d3af7c218f04ef08b77f6d6a67c05350c2965941472592fc6cc9c878644e686532295a20cc23d95ca5db4b62a86ec440000079c5f4

memory/2756-41-0x0000000072E3E000-0x0000000072E3F000-memory.dmp

memory/2756-42-0x0000000000C10000-0x0000000000D42000-memory.dmp

memory/3612-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3612-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3612-46-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\3990518d4e.exe

MD5 510bbbc4aaa1435c2fbaae4a72ad2055
SHA1 8fcc653c1da4c9b641b0ee566565ae27127687ce
SHA256 cd390760087ffc9c698e75f33f6c2844e97131dbd00a894dfeee0f1b144f2222
SHA512 4701c53d69c6000cb9759f13b31074c8ae5dea21ca09ef40a2aec2bdcf72b52ede4b7327bda398a937094e2d4074a58c8ac9d4c079ddb31ffb46a000416e1a65

memory/3636-67-0x0000000000760000-0x000000000079A000-memory.dmp

memory/3272-69-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3272-71-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\f7df2e71e0.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1632-87-0x0000000000330000-0x0000000000573000-memory.dmp

memory/1632-88-0x0000000000330000-0x0000000000573000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\91f84ebd-0dad-4690-b351-977ff5764a27

MD5 e66800dcf46dcbfd9e8a44278b6438ae
SHA1 39914a78abe6b298bbad723dd48c3f4ce0fe58a6
SHA256 634fb5b5e481ec0024c6d0fa087970f415b755e889239999c7499b888e9637a4
SHA512 7393cef845db758471243b1e60ba1e7cf2567ecb2d6e6eef403cfdac48348a4406ce47745cff09568fd425a64ae8f64e37e2222ae5c3f4ff951ce25d7b03a8f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\fdd85613-9796-4efd-8da6-ef7231c3a250

MD5 19a7da920d874893a57fb9d8e5ffe89d
SHA1 1f1d0590752e3a5ec3f643a9320e9cbc33358718
SHA256 f88659779b3105aec66484114f1f4fbfaf796d9d70e2c6dcc457530f16e11be3
SHA512 ab0c3b0e7325ccdc8d34b44fab89aecd32876b43d8587069da346653f8704405105a858ad538b1b1c6eca2ede0c9d70ef7bbe08bbed31ad41f2830e9838f38b2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\59b4d5c5-949f-49ff-9d0e-777b7224aaf0

MD5 843b5c51cfe3a6a5f079db055fe2c787
SHA1 6f095ebf92be36d888efe9beaab4453db240e25d
SHA256 b31640002b9deedcdd5644a6de6de8f6fec6a91c5c21d3b4afc0dec295ce70d0
SHA512 c9c3614f61561ad57c70187735a5104e4d9990e48d35603f6c9d5b7e49ce6dd7fd3a786c738dbb3f7f169897b9e550fae82f4d3a1c4b578cb6ad87a5905db4d5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 99908e397257dac8466a0ee9d43be9dd
SHA1 ab2fde0b227b106afa09cf95b3a46153889934dd
SHA256 84991ddbadbcd5d43d5948d001e76392042ad7c2ec3edda9a6a56d21999e1472
SHA512 e9ca157f46409cefaf612de0e5b85633224b44c6898c872db460bbcde48f7d7fec4c0f02daddc3c36257b258f85c70c9a89a37c1f9d7c327fa6e9ec8a5dfde59

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

MD5 9ca75c74dc0f850d16210dc3e70b3943
SHA1 dcf3547461a42f826d1ba90a611ecf24f16dafe7
SHA256 3ff7c2396f66fe41d96a0284611ef619b11dd8535f0ffd2c6b7a96bbc14b4f40
SHA512 8cf91f9dcc4b8d171640e62dbd5f19e02c79d320e25dd9e174357d766ebda3299eccc74f54292723339f19e2aacd2fc795a808d672e8fb09e104d419d2aedcca

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\activity-stream.discovery_stream.json

MD5 0b228b260337da37810a5bcd205e78e4
SHA1 d0e31cd9b1aeacfb9ce26b648ea67f4004700f87
SHA256 f5c0dd67961130187916289781eacf50caf1364f2b7518953c93107cb0800a29
SHA512 b4d24b6bc7176e53ea3a0669fbd8651a1794fd8de30e84722af8f97b6fc9c3757501b93c631ab818cde2d911b994c8d5248467d0bb90b9681ab86d786013b199

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

MD5 9d233287b328fdb88aca6e508a393332
SHA1 c0449055ec69632f610ae3c2b283ccec71d838c7
SHA256 4f3c1dcbc0cd25e98f9eef6d19b69bbc07d5fbe9895b892e5fbf5a6f04eac4e6
SHA512 030f4ebaf6359548ccb2ff9387dd3625867803a526befaa3c9e71f81176e1a2c3014b0ceb07cad64f4450c1bc9f267d0765a4ced3d05541480295b7d429d86f9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js

MD5 3bd8cdb13c1eb0d5a720dc167d0048e2
SHA1 a6143b65e76c6ddcd2319004ec692e1010aaba43
SHA256 6b9e8baa5e5a64e8021f39820a22e1db6daeabace403a85067aaa107cf2c4bc9
SHA512 98312478a40944db619ccbfb5f1b5958403fcc63668e02c48377110b1a0f7fab41fbdf68118ef3fca6a165169ceadd0b6fbb89403f18090ec1aace73837729a2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js

MD5 9f1f341c35552d3281934fe87d12b396
SHA1 4ae31cc73e6c1cbe7715ef4f9f6723987e622f7d
SHA256 3b9dcd1dbeefc18ee430adb328d51da586d62dab6061ff9b37b8f43c79837006
SHA512 9527e021b2122652da483b6a0e79a5ee0bbca43ac0af88f807976b63142fc4a16ccdc6c4ec370c9760b4fc47b27c919399b889e90c40026b488b67dd0a29e49c

memory/780-454-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-469-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-472-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-475-0x0000000000440000-0x000000000090A000-memory.dmp

memory/4948-476-0x0000000000440000-0x000000000090A000-memory.dmp

memory/4948-478-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-483-0x0000000000440000-0x000000000090A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 10e94b5f038fe593cbcb18067e7609d0
SHA1 c64c56ec5bd67cbfbff471600537731908178fe6
SHA256 758ecbf0161461ad28635337e051efa4002c3b3a1f45ea06e0882412387df02d
SHA512 9ce4c6bb4946d351c66c0a669c7c0129f9c6255d99c29fad0a20dee94a5dbe22a2c10ab2ddddcc0b9171421a5a5bb87fca1b4fba379ba280d96951c2ddb04b30

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

MD5 10fec288cc6c43b91be6ff93f31c35a8
SHA1 ee3158f3e29c9f67678d9cbc1b5f2b118deef67a
SHA256 05c3354803094ef59694520201daadeb7d053627856e0daab18c8eb0efc4f3aa
SHA512 00f042a927ebcf0b0f585a36d5424ae397a1cf6e4812d4094409db58ab2f8821d9987af683e67e21bae17cf21e5c0bf791d175a5be19542b0c4ddbfa076d67d2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 72db3c01928fb413013efc3f45401ba0
SHA1 9492c9eb4d257cf5ed1e2c3a515573851e0a9119
SHA256 5280487206a1e1aefebcd55b47762f4a8744ba07ddf58cbbb78734fc94d868c3
SHA512 bb11231fcc31ba182a829a57afca75b957e3eea81c3cd4bd980e5400c14aca51a923a946a435faafcdeec6c72ecc314a291f966d243fea4b180063c38932124f

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 9fc2d176e9d9d959c1b5eec75aa8d36b
SHA1 5b5d163d92cbcb5454ed1f787e1963fa4b849f5f
SHA256 b2fdcb5245083fb0aaa39a7f5b1d18a619422b10cfb34e908656467023251d42
SHA512 a538f1a4c5dc42fc62eee797644181325036a3176e52d91b310cb9bf5cbf83e556bb83392d0f01466905da07229489696ce43347132b6c34b00618969e27db97

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

MD5 e8c359468500c2e73e1e0454e0fe873e
SHA1 856470ad88d58316b83fbba6a9e957d69cad67c2
SHA256 23d2768a672a0f7caeeeba2c51cc1a68a373c79740b12960934b38bd41538e36
SHA512 da0436ed26b7aa1c79c237cf18e7e1c246bc9327114488c57cfb16ca7e55e556f8c2e35b9654837b352d4ee08b6408a268890af289f85e111bd5759d60ad00a0

memory/780-1131-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-2188-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-2600-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-2607-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-2608-0x0000000000440000-0x000000000090A000-memory.dmp

memory/3804-2610-0x0000000000440000-0x000000000090A000-memory.dmp

memory/3804-2611-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-2612-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-2613-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-2614-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-2615-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-2624-0x0000000000440000-0x000000000090A000-memory.dmp

memory/780-2626-0x0000000000440000-0x000000000090A000-memory.dmp

memory/5536-2628-0x0000000000440000-0x000000000090A000-memory.dmp

memory/5536-2629-0x0000000000440000-0x000000000090A000-memory.dmp