Malware Analysis Report

2024-10-18 23:43

Sample ID 240815-hey37svdnk
Target fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24
SHA256 fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24

Threat Level: Known bad

The file fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan spyware

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Identifies Wine through registry keys

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Loads dropped DLL

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks computer location settings

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Suspicious use of SendNotifyMessage

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 06:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 06:39

Reported

2024-08-15 06:42

Platform

win7-20240708-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\d6e34ea08b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\d6e34ea08b.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2732 set thread context of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 set thread context of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\ecc1975702.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\e124e926cc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2292 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2292 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2292 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1036 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe
PID 1036 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe
PID 1036 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe
PID 1036 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2732 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1036 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\ecc1975702.exe
PID 1036 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\ecc1975702.exe
PID 1036 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\ecc1975702.exe
PID 1036 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\ecc1975702.exe
PID 1784 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2316 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 wrote to memory of 2380 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1036 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\e124e926cc.exe
PID 1036 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\e124e926cc.exe
PID 1036 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\e124e926cc.exe
PID 1036 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\e124e926cc.exe
PID 1992 wrote to memory of 2072 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 2072 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 2072 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 2072 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2072 wrote to memory of 2920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2072 wrote to memory of 2920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2072 wrote to memory of 2920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2072 wrote to memory of 2920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2072 wrote to memory of 2920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2072 wrote to memory of 2920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2072 wrote to memory of 2920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2072 wrote to memory of 2920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2072 wrote to memory of 2920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2072 wrote to memory of 2920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe

"C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\ecc1975702.exe

"C:\Users\Admin\1000037002\ecc1975702.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\e124e926cc.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\e124e926cc.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.0.989326113\1075221403" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {790340be-cf50-49fa-a214-c78385a050a9} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 1296 120c3258 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.1.1236831926\521581505" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {561d9664-817e-4324-baee-0b1ee03dbedd} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 1504 d74b58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.2.175638851\1013856918" -childID 1 -isForBrowser -prefsHandle 1084 -prefMapHandle 1804 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f2684b6-d561-4490-bf27-2c4d09f171a4} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 1712 1a2a0658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.3.435760471\479381200" -childID 2 -isForBrowser -prefsHandle 2792 -prefMapHandle 2788 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ccc1bab-8c5d-428e-b49b-92a5caa7a89e} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 2804 1cd6b758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.4.2157860\768774040" -childID 3 -isForBrowser -prefsHandle 3928 -prefMapHandle 3916 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {acf61e75-43df-4ac5-a6ca-1595acb62f4d} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 3936 20489758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.5.305339510\1832860854" -childID 4 -isForBrowser -prefsHandle 4040 -prefMapHandle 4044 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {714c12cd-1e1d-48a7-bb52-cb2a5cd94d98} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 4028 2048a658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.6.136818635\238945640" -childID 5 -isForBrowser -prefsHandle 4208 -prefMapHandle 4212 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20f45e68-d0bc-4795-a574-459e7a2441ae} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 4196 204f9258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2920.7.28051041\883730353" -childID 6 -isForBrowser -prefsHandle 3928 -prefMapHandle 4484 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eebba89-3231-4bea-bf88-edcec277299a} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 4492 1b2b1258 tab

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49306 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
N/A 127.0.0.1:49312 tcp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-5hne6nzy.gvt1.com udp
US 8.8.8.8:53 r2.sn-5hne6nzy.gvt1.com udp
NL 172.217.132.167:443 r2.sn-5hne6nzy.gvt1.com tcp
US 8.8.8.8:53 r2.sn-5hne6nzy.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 172.217.132.167:443 r2.sn-5hne6nzy.gvt1.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp

Files

memory/2292-0-0x0000000000CB0000-0x0000000001170000-memory.dmp

memory/2292-1-0x0000000077470000-0x0000000077472000-memory.dmp

memory/2292-2-0x0000000000CB1000-0x0000000000CDF000-memory.dmp

memory/2292-3-0x0000000000CB0000-0x0000000001170000-memory.dmp

memory/2292-4-0x0000000000CB0000-0x0000000001170000-memory.dmp

\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 681684038f5ae0cbb1974d2dd82c345c
SHA1 cef63a7eadae08d4e663e5222e70ecdb04ba54de
SHA256 fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24
SHA512 d9726dfd336e86838fdee5f3588872dd97528e7d33265872c3417f6b98ca4f4e12135de2d9b2a56898f74d25cad73316ffd46451c17c4853ee663bcb2c3a690c

memory/2292-15-0x0000000000CB0000-0x0000000001170000-memory.dmp

memory/1036-16-0x0000000000040000-0x0000000000500000-memory.dmp

memory/1036-17-0x0000000000041000-0x000000000006F000-memory.dmp

memory/1036-18-0x0000000000040000-0x0000000000500000-memory.dmp

memory/1036-20-0x0000000000040000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\d6e34ea08b.exe

MD5 980c41e3847ca8442702221633cee6ef
SHA1 6359f2bdce723290d5e59d75632ee1b34ccbfccb
SHA256 b334b35ee113fb34996ea6b19e0989865679c484c4efdc4a78e1f2b72dca3aad
SHA512 2f98d724596b5ab1c96dde899fe3de2549271bdd9fdb4ac586b756d41a40bfb9d9343ea845c52a192d12f1836f879736fc39ca3c0dbfc84cb2be6f40f82912fa

memory/2732-35-0x00000000001B0000-0x0000000000302000-memory.dmp

memory/1992-37-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1992-39-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1992-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1992-41-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1992-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1992-50-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1992-51-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1992-53-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1992-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1992-46-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\ecc1975702.exe

MD5 9b5ce0aad79aa13bb49dac5c65263ad8
SHA1 e0d347799df48b5c1329fca59ec75f219b71c2de
SHA256 f4b001e32cc190b798b767b41fa1556a384ee248920b71e8c1bd6e37ec4adb48
SHA512 b884bbcb15fd5dfb0e03209c5d697396536b4587190cd9bd0de157cf52152382b6ba90ad90b109a42f2d4f2b88a28585bfd01d42ed709085bb2857f065329dfd

memory/1784-68-0x00000000001D0000-0x0000000000228000-memory.dmp

memory/2380-72-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2380-76-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2380-84-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2380-81-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2380-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2380-78-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2380-74-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2380-82-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2380-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\e124e926cc.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1752-101-0x0000000000A20000-0x0000000000C63000-memory.dmp

memory/1752-102-0x0000000000A20000-0x0000000000C63000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\da56f159-8a3d-401b-bd22-af81f5e808c2

MD5 de8494351c48ff79d6171096beab792d
SHA1 ba011672b55c8224aae35a7847922fec8f69f94f
SHA256 70b34033e2a90e9f4e18a12b2dc19eb0ffd2f0907b4db0b5008a321dec28b062
SHA512 5b5fabb0e8b277fbee5098a94e7814953960a1b3ac08e35946c5bfaa01f198120fbd234df99f3ff2116cf0284727c38255c18cfc91919cd8cf2a73002ee517f7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

MD5 6649ae75079c7bb4def49376c890f693
SHA1 8f05279c9c16760733fd559533ac25e214024cf4
SHA256 4672611896c3b4d543bcb82fdf68c2eae226bf163e88c07d3c943abcd8c97142
SHA512 519992eacee0c976efd6afff7e4a7fe0afa76e514850f70cc04e90666c82ab95952d96cb4a93a99b0e4911966e599c2d8f18f6335e4099310e37807f6443894f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\4b830587-d6da-45fd-a668-dfc609d7c1a6

MD5 0c75d2b9ca9318139c5067b8da435711
SHA1 016b4e4f203d6dce5c5506b44f45c5b8808864d5
SHA256 2d59548537838b3ab113024922261224aec493336ee553521386d922ce75192d
SHA512 40788e8699f18449fac6aa623b866416b9dc64f77f20c969745a893bc471462dcbfcb517241856e255babfa9039ce147f0a858577e461fc483169ed60d6b0d9c

memory/1036-169-0x0000000000040000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 3dc733f51b6c47c0e57ae7035b9abacf
SHA1 d4c28a6f9d4bae9e297440a46726a2cb3e2504ba
SHA256 aafa700fb884f14becaf86a0eb9df79dfa15885b2ebe11cabe5f48a3a5d9e0e1
SHA512 e02670f6fa626a21ad150e0e0e589ba9f1f7a1fb921dc28f4117dc0a30a337b9c9b165dd0a30da864fe4dbdf130372e846648792a0bcf5aad4e8d28118101067

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp

MD5 29a1867445d680ae733f60b7bd0e1e7c
SHA1 627bed078168176d9cec45109abed9a77591595f
SHA256 17e08b3883803fd1c2f3e41b267f23cda513a3eedf1f345f3c12f93871f66b0b
SHA512 6eec52c7b3cc0206f0943802b1e77f41ef745de2a08426f590d13cde7936e77317e9a88268b581d653b195bbd378270afedafafa5de3574eb45c441b9777fca3

memory/1036-227-0x0000000000040000-0x0000000000500000-memory.dmp

memory/1036-237-0x0000000000040000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

MD5 15c2544ff886376d35bb574bf468f811
SHA1 c30f9ff53378a38642a6253408278a0a290a8ab6
SHA256 b2f1a0edbc0f32380fc0b27e2a19c8870bad8826549b5718f19b072bec470929
SHA512 4c01afa8063285ff3b0b435e1f1564257be060aa737971aa0b242edc0d2b87cc6b9ff98f9df0e6fd0b80f24b8af9a1d65e4d9fbbd9fcd1d928b244f7d0e17eb0

memory/1036-250-0x0000000000040000-0x0000000000500000-memory.dmp

memory/1036-259-0x0000000000040000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

MD5 cdbcf79a597f7e5ca0b8a399eb5ed08f
SHA1 18c418b993d0265844e9b54e6efaea61baf2224c
SHA256 1994a9b192d0acf9b95492c7a274f1db1311ad2545a6c8b1360f17463c3cc38a
SHA512 b5d552aadf92a60a68dbdedb3b6cf891e4d32f59c18ff1466e0b51ba7f3a6ec4b8fa61dc29b9bdbe304024002af02e99a6fa210b26e4c26ec76ca4be9b586dae

memory/1036-269-0x0000000000040000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

MD5 a0d83aeecb1851934046b132624aa007
SHA1 9a5b42d4059db987e71fe3ca68e92a4555d6f1f3
SHA256 2e88e9c5e9c1ed7b676b0ddb2b3cdbefeee8545e6fafeb6b6f18e4706069359c
SHA512 098ecc37fb995cb03f574d4d4d739882c220ba8f778ac9d908b9043f5c1a3eb5050e2db7d475652d7204e3fb1b92368366274ee701cdbe30674edbd78d3aa691

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

MD5 c3629a098ef3729e645ca7866a54848e
SHA1 daa8f1c98870aa6ec9c9e9750b13115cab7f8ada
SHA256 1ebfec5b4a75183d0a54a4cb1923046556fb0a2835498ca79e0472a2b4eef043
SHA512 dca7a9044de7a4ade2a26a9ee96c70b64de0744a8caf950896a5a07997457bd850f820a7f938ce4fe425ae6648823cfa2e078accdd467114bcea9d5613070d46

memory/1036-316-0x0000000000040000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

MD5 0f5d3c05bd3e4c81f23ae92c754d2173
SHA1 7c6ff5e78023dec7e8710b94637b7d82287bedfe
SHA256 369f8b81b27e58073b0fb3e086e54f839f87a090ab6c3ed65646dfa99527a7f4
SHA512 c538c62cf93d0fc5568c3bc41fb83d3aa7472ee70f2eb6721f78480560f83ff6763e7fc9586cb19d90cb3e83d2cd4ab5de6b940301cad1d9dfc22a4bdd582aa2

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/1036-363-0x0000000000040000-0x0000000000500000-memory.dmp

memory/1036-365-0x0000000000040000-0x0000000000500000-memory.dmp

memory/1036-373-0x0000000000040000-0x0000000000500000-memory.dmp

memory/1036-378-0x0000000000040000-0x0000000000500000-memory.dmp

memory/1036-379-0x0000000000040000-0x0000000000500000-memory.dmp

memory/1036-380-0x0000000000040000-0x0000000000500000-memory.dmp

memory/1036-381-0x0000000000040000-0x0000000000500000-memory.dmp

memory/1036-382-0x0000000000040000-0x0000000000500000-memory.dmp

memory/1036-383-0x0000000006210000-0x0000000006453000-memory.dmp

memory/1036-389-0x0000000000040000-0x0000000000500000-memory.dmp

memory/1036-390-0x0000000000040000-0x0000000000500000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 06:39

Reported

2024-08-15 06:42

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b8dad51ee0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\b8dad51ee0.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1444 set thread context of 3988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1940 set thread context of 1456 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\ecc1975702.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\189b776df5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 704 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 704 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 704 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 224 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe
PID 224 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe
PID 224 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe
PID 1444 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1444 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1444 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1444 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1444 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1444 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1444 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1444 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1444 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1444 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\ecc1975702.exe
PID 224 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\ecc1975702.exe
PID 224 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\ecc1975702.exe
PID 1940 wrote to memory of 1800 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1940 wrote to memory of 1800 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1940 wrote to memory of 1800 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1940 wrote to memory of 1456 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1940 wrote to memory of 1456 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1940 wrote to memory of 1456 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1940 wrote to memory of 1456 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1940 wrote to memory of 1456 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1940 wrote to memory of 1456 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1940 wrote to memory of 1456 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1940 wrote to memory of 1456 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1940 wrote to memory of 1456 N/A C:\Users\Admin\1000037002\ecc1975702.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\189b776df5.exe
PID 224 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\189b776df5.exe
PID 224 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\189b776df5.exe
PID 3988 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3988 wrote to memory of 1424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1424 wrote to memory of 2420 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2420 wrote to memory of 3804 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe

"C:\Users\Admin\AppData\Local\Temp\fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\ecc1975702.exe

"C:\Users\Admin\1000037002\ecc1975702.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\189b776df5.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\189b776df5.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1579d669-3217-45d7-a4e8-432945cddab9} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2452 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0fc9efe-fbe4-4bee-967b-eca2a71e8640} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2908 -childID 1 -isForBrowser -prefsHandle 2832 -prefMapHandle 1436 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90fef7a6-88d4-40d7-89f2-fae59c0823c3} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3908 -childID 2 -isForBrowser -prefsHandle 3904 -prefMapHandle 3900 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bc514b3-2671-4dd6-8925-7ae893554a38} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4672 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4696 -prefMapHandle 4692 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f32a953b-179f-4a37-8f1e-8930260c116f} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 3 -isForBrowser -prefsHandle 5416 -prefMapHandle 5432 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5d782bf-9b7e-41c6-b9df-e6833145a5fb} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5632 -prefMapHandle 5628 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f71c2e6-7bbf-497a-a032-5ae4fc7a8f0a} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -childID 5 -isForBrowser -prefsHandle 5372 -prefMapHandle 5360 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c4267a1-cb64-4f1f-a4dc-a9a28c612d87} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6304 -childID 6 -isForBrowser -prefsHandle 6328 -prefMapHandle 6324 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64e9b890-5f77-4ba4-99e9-66e5a1b0bcf8} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:59402 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 139.54.240.44.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
N/A 127.0.0.1:59420 tcp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 37.158.120.34.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-5hne6nsk.gvt1.com udp
NL 172.217.132.38:443 r1---sn-5hne6nsk.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 38.132.217.172.in-addr.arpa udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 35.190.72.216:443 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/704-0-0x0000000000C80000-0x0000000001140000-memory.dmp

memory/704-1-0x0000000077364000-0x0000000077366000-memory.dmp

memory/704-2-0x0000000000C81000-0x0000000000CAF000-memory.dmp

memory/704-3-0x0000000000C80000-0x0000000001140000-memory.dmp

memory/704-4-0x0000000000C80000-0x0000000001140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 681684038f5ae0cbb1974d2dd82c345c
SHA1 cef63a7eadae08d4e663e5222e70ecdb04ba54de
SHA256 fcab4949f2e97dca79e18b8ee9ff5499d4f1840929b158a2e04d03f6ff70dc24
SHA512 d9726dfd336e86838fdee5f3588872dd97528e7d33265872c3417f6b98ca4f4e12135de2d9b2a56898f74d25cad73316ffd46451c17c4853ee663bcb2c3a690c

memory/704-17-0x0000000000C80000-0x0000000001140000-memory.dmp

memory/224-18-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-19-0x0000000000631000-0x000000000065F000-memory.dmp

memory/224-20-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-21-0x0000000000630000-0x0000000000AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\b8dad51ee0.exe

MD5 980c41e3847ca8442702221633cee6ef
SHA1 6359f2bdce723290d5e59d75632ee1b34ccbfccb
SHA256 b334b35ee113fb34996ea6b19e0989865679c484c4efdc4a78e1f2b72dca3aad
SHA512 2f98d724596b5ab1c96dde899fe3de2549271bdd9fdb4ac586b756d41a40bfb9d9343ea845c52a192d12f1836f879736fc39ca3c0dbfc84cb2be6f40f82912fa

memory/1444-40-0x0000000072F7E000-0x0000000072F7F000-memory.dmp

memory/1444-41-0x0000000000480000-0x00000000005D2000-memory.dmp

memory/3988-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3988-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3988-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\ecc1975702.exe

MD5 9b5ce0aad79aa13bb49dac5c65263ad8
SHA1 e0d347799df48b5c1329fca59ec75f219b71c2de
SHA256 f4b001e32cc190b798b767b41fa1556a384ee248920b71e8c1bd6e37ec4adb48
SHA512 b884bbcb15fd5dfb0e03209c5d697396536b4587190cd9bd0de157cf52152382b6ba90ad90b109a42f2d4f2b88a28585bfd01d42ed709085bb2857f065329dfd

memory/1940-66-0x0000000000900000-0x0000000000958000-memory.dmp

memory/1456-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1456-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\189b776df5.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4420-86-0x00000000008B0000-0x0000000000AF3000-memory.dmp

memory/1456-87-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\72954ad6-27a3-4fa1-83bf-1a72367445bc

MD5 44d8ee9870378a33f2c0f5984aa0c5fb
SHA1 8838baa01702c7b7bd93fbacc6b803257122a43b
SHA256 2749faba897342c2716404bb6e5b8f8d7e0a271bb0add033b8c390b6fba5a6f1
SHA512 a168f7fd272a74b6d15aa0798aa202b2c4dac9d246eba6dc0fbe87e72b7c2caa1943405c5ff38cea47d591597094b1722d1da2f30cf2798b0a420ce35c9416c2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\d3e27b53-6053-48b2-bb8c-ad0124ea0230

MD5 a4d68db10160fda2e8ec36c02e8d48c4
SHA1 f972a2c216a1455825e37b3c92c5e7210b96d5e5
SHA256 c7d1bcf2116e29c6c3d07011f7fa43e0c68c39021257760479f3d8e016d932b9
SHA512 a2d5bfdc66fd9fe5733c37dea20b66f69e97e17d2b9370416b444814349ce1796985fe432ebd450e53f034b2e5bd81b62f79450cc17994e1d323b57d7d323cf3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\b35a26d7-2348-4d58-bfc0-ae6f462c11c6

MD5 7c0dc1c9ba49b5b6c994379f5fa7da29
SHA1 8fac4a46172b0659ad75cf99a6525c567fc6329e
SHA256 cc761feacceb47e83d115a72d716c0a1c0eb3700632996a40e2cf946a91d60c8
SHA512 b6a6add800dcc4cc4a33fec912e2bb61b31260206eb14491d1f86d34a7352bf618c13c3a21d3260af3d635bfe18c5efcfb9cfd4bc55e91ed0954d1c58eca980d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 772a4822a22298045232721ecfaf4c40
SHA1 cf18b7a9298bda89380247f7f1df51577d54c555
SHA256 9aa9627c05a7a1debdb5f1a2223f81994dea2c451ec05b8fe890e49a40e9b8b6
SHA512 cc1593b5ad29f2b2f51e07676a63ef2cf552908f16b0496dbad9fee08e9ed3d5fd277b11ba91963384b26fa246d70209d7e4a70306eb2d6d30869a67c89051c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

MD5 e34d35df402f33c3fe2c819df8c2b4c4
SHA1 41f8a94be694b1d98636cb1173a9fc8ff125afc9
SHA256 0435b6f75dcbdcdcb808f144ad66bdd83fbc0762986a37fbb11b87559f891129
SHA512 593657128363e69d84331e667f403f415d84472015df726c62a39c6f97d40ac87a50e37e9a702203cb6c39c35b02f957951374b9f9e382b5d094428298a3022e

memory/224-411-0x0000000000630000-0x0000000000AF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 eb356787c6bb647917eeb139cf4e2200
SHA1 15fdc64ee490a556dbf2fa15f5b78f9da9373018
SHA256 3bd6e09f010ef635b0159b8fcffb1507c3165b1d8d77a21297566618bfcca385
SHA512 f3091aa4112f7fe33a7a07fd7be6633cc06e890e01e81b4e247eab82feeaed71183f5ef852d4f59099eba06359bbd2d57708862db5f07a878c7e2b1bd150d3da

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 abf8d8e972aa581f9f6b4c1d36d3e135
SHA1 3e79fb53a236e88cee9dabc0e71dab325d5aa827
SHA256 c6ea573e33d642d3b7c71dc51fbcd503343d9698b2ad2635b48e6a836852a445
SHA512 20e207d3ab66174f6d30df01b5b073559344c6297c80ec6cfb585d4fb6ecbe75808851d09be824e838b689c0db36b39ec6e5b32e1e21058f2051ca69779f2943

memory/5444-469-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/5444-470-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-473-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-510-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-511-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-518-0x0000000000630000-0x0000000000AF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 a34a50519a33de161bddf197b65bac9e
SHA1 110028d38899eed63d206182086796482529f3bb
SHA256 a42f2e6d85d25236090eeb23e236936f7955a6545a67e52cb9c76ffc83b21977
SHA512 fb3def9a5cb94205820b33be15867bbe6303a1a7b7a0eb4ef5e56ba428ba6f2cbcea05df2be0f2ea370b0d76dd1b2a29d2943c06fb24cf63d6242523535a2e35

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 f2fe328c0f77621484faab517f14730b
SHA1 bb0add752a53bd5cf742382f8b47b7deab464b3d
SHA256 bd20f5eff7fd9d853cdaca80638e73eec1b05b0ea2dac83561b6d02fa35dbf16
SHA512 2a8517a69bda890cbd326e05d8a48760a3d99d35667af948aac23dbb1dd787bbb1c95895f7bb4416904e34952d9a39fd3521329b62a242f80c45fe7632790486

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 a43536af5fff5fd2a74c89228d7e02f3
SHA1 ec772eb9b2e7e061f586e5081883fadc6894efbf
SHA256 562686ceb3f58fbbb4296e4c7df20ca0790b26eb7d68d1c672a69c1fee7b4947
SHA512 ecfc45e85118e4412d7a89d02353981664d5b36856bb1b94c7a6c0a7adcf569fa1f601a40a371479a05115fd3f8cf9a04d14078f2477331a9a862ee96adfb6d4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 59100bd605bc4a70ff6a75945eb10604
SHA1 ddfef44a34a8c7b5a5898976eb6599cccde8fdee
SHA256 ec9ea7ea84f93d54eaf0bf83a6589c846819088a53d260593bbb3d80bd11842f
SHA512 0a40ad59f26c26428770dfd02bb6a89ea57fbae9ecd2e891977628a15e1d2c4c3d3d57465e3aeb3fe6ee2d930181df165e79dd31f6f1aa4615462394302d2bfc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 0e1ea55db57e1373f6438593e567c483
SHA1 d5158df677f1690188947a77305c2c0185475e95
SHA256 32d44e3878ed6ebfba499aff922a309110726964d7c1a34718e655c84664fbbc
SHA512 f4aa183a7227be1ab88c21d5731964811fcd6f27adbf7bcccc7d100aa7c49c9b37182c292cbb5a671d321af1f77b903d5cac884735a0cff165f9bb4e2a682860

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 897b78afa98b261ff5db5f01d7a008cb
SHA1 41a883912e639f2872c5f72b81ef45e63d1ec527
SHA256 e474b1b7dc0487a87f64cc5a8b9f99444861659bef2f10d6177375bf441caac2
SHA512 c1110b08686ccc2b6e0f263f094d22621d56bf1b604ba139b396a0bf28f90a18a91504e0c0961bfed4437b8b905c6144a9f84b4497b4849a1c249aa80ad23d9c

memory/224-779-0x0000000000630000-0x0000000000AF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

MD5 713e83f533dbb006a8afefffdfc48fe0
SHA1 d88d78ba68d5728fcc227624aaf3b3a1e85babe7
SHA256 d489e81a9c34571a418e520948e131b17a5123397e44177a2cc7f970e510b954
SHA512 0f038ea3c070dffb03daabed475e47d47bc5c67874cbff44496d509b4c465e9fbb2c4663f3021992284cd93c92252fc914600e7e3d16c36348f7143f05fc0f0e

memory/224-1333-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-2697-0x0000000000630000-0x0000000000AF0000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cookies.sqlite

MD5 34c55844cfe7ad14cac73d517afdeba0
SHA1 0d43d467b6057ae4668397e6f77d0d22caf8f308
SHA256 67173f15c6999038cab0aae8be054977d0b6cd5daab8d52740f56e569e08e573
SHA512 21c41cd11d1d06bcaf433bcee7c2a38230c7a34baa502bc37931a8d7fdc7f7fb38619073dbc339d44f8a46ba7f796716fd55996698c540c00ac3f7a9f019b0ed

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cookies.sqlite-wal

MD5 5e76e40a2918ff8cfe2b0c6e9a222e8a
SHA1 cb979fb7cfc04b9a4f3b2cd9b2a49bb56c8dcc29
SHA256 9ff8019e02b297aefec8703068713d33d67e46adc72d3d4619086c56d5bb745e
SHA512 b56d61eced565963195fc0b3fb39bf6637fc112fd19a962da1295ea9999b5dfb6ce6b29c59493389131be345a5d9d9b78182ba7a47a73911f31d0d8f0520af57

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\places.sqlite-wal

MD5 a5b51877a51df1146cb61e36a22bdc56
SHA1 3795a36f06adf9da68b09348f2c070e2125c6600
SHA256 a0e6e1556ef0a813f8bfa843a0c9b2c89b3a0fae9a4095b63b579ec50fd31eea
SHA512 db03432990ff111114f2ba6cfbc3d8209b21c75323508df43cf746b3e44d50ce7569abc575d2db8f490c08cfe764af78c66d4eaea8da910d5f7dbf6f3d8aed0c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\formhistory.sqlite

MD5 97c1441748d6cc3e5a7030cda7543975
SHA1 f5598a45b101a5404126cd27fbb7f4b70861ee32
SHA256 2015b584b844b091d6a6280d45e9a589ea0feacf5f4b19bdd4cc21c60dbaaf91
SHA512 29d358ec7725038c6648251d8b9c32f3a40458e9c97926e0000ab42f0369b96d1ba5216eeb7c35800c740633dfd3b1e6e6aa73859644bdb9cdccaf2a3516bcb9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

MD5 ae5860c1a9bc7bc4dce77232e67ea28b
SHA1 396a1c0a6ea9594b6e87413ee1cb27901fe158d8
SHA256 5a7117c3319729bd6ceafec569792c170ab929e07157d977f9043976c65dea2b
SHA512 3496cff3190e0adc91be0e816b1cdd86fc32acacbed28c2d0f26211c3a7629ad7b1c2b7277b21f793b71e8da5030c0e37e7b418493eadd225f3501d5df72fa53

memory/4420-3379-0x00000000008B0000-0x0000000000AF3000-memory.dmp

memory/224-3382-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/4156-3385-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/4156-3386-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-3389-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-3390-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-3391-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-3392-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-3393-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-3399-0x0000000000630000-0x0000000000AF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 2826ebd18de0124f82c026867529f226
SHA1 7b938a79c14a5e5a31322c0c78005a3bceaa6372
SHA256 60427c2beb5ed5ba385f810f1fece4aa7448736d65df43fc5d824b8c2df01af5
SHA512 ed69cf8f01849cd127f18ae8709a411ef0b83b6e2c097b38a75bf3964f31c816f9994de484f8de87cacd189c13f5ddfd4cc332bc86293b623600e9f762049383

memory/1380-3404-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/1380-3405-0x0000000000630000-0x0000000000AF0000-memory.dmp

memory/224-3407-0x0000000000630000-0x0000000000AF0000-memory.dmp