Malware Analysis Report

2025-01-18 11:33

Sample ID 240817-n9crcaxeln
Target 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379
SHA256 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379
Tags
amadey stealc c7817d kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379

Threat Level: Known bad

The file 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d kora nord credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Checks computer location settings

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 12:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 12:05

Reported

2024-08-17 12:07

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ee9218a39d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\ee9218a39d.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000003002\e57bb73e4a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3904 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3904 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3904 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4584 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe
PID 4584 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe
PID 4584 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe
PID 5068 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4584 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe
PID 4584 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe
PID 4584 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe
PID 448 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 448 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 448 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 448 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 448 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 448 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 448 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 448 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 448 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4584 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\e57bb73e4a.exe
PID 4584 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\e57bb73e4a.exe
PID 4584 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\e57bb73e4a.exe
PID 3312 wrote to memory of 1140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3312 wrote to memory of 1140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1140 wrote to memory of 2612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1140 wrote to memory of 2612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1140 wrote to memory of 2612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1140 wrote to memory of 2612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1140 wrote to memory of 2612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1140 wrote to memory of 2612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1140 wrote to memory of 2612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1140 wrote to memory of 2612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1140 wrote to memory of 2612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1140 wrote to memory of 2612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1140 wrote to memory of 2612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2612 wrote to memory of 3216 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe

"C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000003002\e57bb73e4a.exe

"C:\Users\Admin\1000003002\e57bb73e4a.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b643906-999f-457c-be6b-59c13dac40e2} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2448 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f336a124-966a-4726-9e5e-b71f5de3679b} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 2772 -prefMapHandle 1392 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1280baf-ca85-42a5-8b06-e606428a36b1} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 2612 -prefMapHandle 2600 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e70f82c5-2ee4-4638-bddd-3f50d5e68ddf} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4840 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4112 -prefMapHandle 4800 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2899e15-5475-458c-aa38-b7488258adc3} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4532 -childID 3 -isForBrowser -prefsHandle 5144 -prefMapHandle 5140 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60c73946-7092-4f8a-b379-317585506942} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 4 -isForBrowser -prefsHandle 5312 -prefMapHandle 5320 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a018764a-6d6a-413c-abf5-d26bab94e508} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 5 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {343597b4-16fc-44cf-8a4b-c206b94dba35} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6104 -childID 6 -isForBrowser -prefsHandle 6060 -prefMapHandle 6048 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8349fb11-74a5-433d-94bf-d604e985db39} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:62390 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:62397 tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 47.249.226.44.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5ednsk.gvt1.com udp
DE 173.194.188.234:443 r5---sn-4g5ednsk.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5ednsk.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5ednsk.gvt1.com udp
DE 173.194.188.234:443 r5.sn-4g5ednsk.gvt1.com udp
US 8.8.8.8:53 234.188.194.173.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp

Files

memory/3904-0-0x0000000000A50000-0x0000000000EF6000-memory.dmp

memory/3904-1-0x0000000077AE4000-0x0000000077AE6000-memory.dmp

memory/3904-2-0x0000000000A51000-0x0000000000A7F000-memory.dmp

memory/3904-3-0x0000000000A50000-0x0000000000EF6000-memory.dmp

memory/3904-4-0x0000000000A50000-0x0000000000EF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 f92bc75eb1dd5151fcda78609b39c232
SHA1 4f1fb77fdd542f67d30cb26acca5747c6e01890e
SHA256 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379
SHA512 bca933fb39dc32726ca15f3ae6a3237b9b72f38b5535288d5062bd3b1b9cae8372f3ff1173785d4f7e6914af2a23689d2b41e0a8e2d291cf3c9da16ce6920bf6

memory/3904-18-0x0000000000A50000-0x0000000000EF6000-memory.dmp

memory/4584-17-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/4584-19-0x0000000000341000-0x000000000036F000-memory.dmp

memory/4584-20-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/4584-21-0x0000000000340000-0x00000000007E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe

MD5 308d0996727a81dfcb72a69e1a132108
SHA1 9b48220c70d23d2022dd33b142ba6ff8f878c7e6
SHA256 76a0ee2a9aca627171bad5a4be2029e87eefed2cbb7c63532c3d4f5ca53e2e88
SHA512 65503827ac96c6a81c6ab6a6428286b6b43fd78ded0ec255e21ca3d6f2f4ce8f2fb4f3167afcfd7c6e9b997dd448c937bea01b676f645f33dfe4fd9b88ad2c25

memory/5068-40-0x00000000736FE000-0x00000000736FF000-memory.dmp

memory/5068-41-0x0000000000560000-0x0000000000690000-memory.dmp

memory/3312-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3312-49-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3312-48-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe

MD5 aa217dbf9cb8080176f0bae19edc6305
SHA1 1753b00e1dddb7d9635ad0e9d285907445cc70b6
SHA256 fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844
SHA512 0beae14810a852de0449675577854fe68947ffe30de89488e71b5ed8c63ac21d88d20b23d3614441aae7de40ad6bea12dbe4278af870defef85457478a6b56ab

memory/448-68-0x0000000000B60000-0x0000000000B98000-memory.dmp

memory/1892-71-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1892-73-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4584-75-0x0000000000340000-0x00000000007E6000-memory.dmp

C:\Users\Admin\1000003002\e57bb73e4a.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/532-91-0x00000000004A0000-0x00000000006E3000-memory.dmp

memory/532-92-0x00000000004A0000-0x00000000006E3000-memory.dmp

memory/4584-93-0x0000000000340000-0x00000000007E6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\75c648d6-dc2d-4174-8eac-c87cd3c127fa

MD5 6711ba58569128b7989e5feae1c47346
SHA1 f5c6de99e807681c53afe0ae07cbfa8e1d5a5c89
SHA256 57c7ba60544f625675586deb78f76639fc530a298e3eb404b82cde0111b81f16
SHA512 981a1deb77f2107b61b971f3b010025a0a699ca214c271c3dcf9934b7c0b8abc88697022be0771f7c8e36cf6ae4c2a59071796e308ff3dd493baf6dff9823c3b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\e9b5f995-cbad-45fd-9cab-4a0c69182231

MD5 f023d20ddfec22a9ebf0e4b49fcacff8
SHA1 6e6889468737fbdcb3eb255cecc7d0d6e46a5520
SHA256 52d8b5d0a9f4f4d9b1add503c2775d3be45341735e30eae8f26e376781555570
SHA512 a1e847ee368c6d0b044f8e0872748818b3e6e0477764ed5cadfda34a21183895be0ce726225b31aed7f5be1bd6be4d0f39c280448827c6c891fcc0e7ab55ebe6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\186f8284-c5ea-4ea1-b7aa-ea14b309b724

MD5 82b5f9cc4441c29f7e5ef1b5ac92a1c4
SHA1 ef48236ca41cb594d802b0a6f4cbe1d23e2e88bb
SHA256 02334bd7910469b4515004ac7db42e16274c59cf7983d6326ff61a0d405b4a6c
SHA512 47c567f9661e1a0255c6e6fb9e7b0d5495419bd6595faafba95600335b9f734e4d267a2bb00cf706b7ab721b519d1fdce01998e37ff027056505d4e79680b513

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 65c25def4b0593ea8bb743b248701848
SHA1 5153da18cfd5cb935cd4a7816d615aaae6621e16
SHA256 3875e035b5eeaddc47cd4573b7fc93f347ebe59ad7a3ef2fe08dabff0e618025
SHA512 2f5ade4f4dc2d7a8fbd8a0e69bac7aa9626f7b897127872888a502688ac7f32678747f043845d410a61f18d4a0e404c4bf82ac7a056b410c2e44f8ddc46c35ee

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 aeefc3e8ba45bed48364644558e583d6
SHA1 3dc488eb9e39ba4375e7d17fad19a79be091968a
SHA256 e819aa410af20bd8318ccfebf3ef4f7a28bec2bcd367be2ce8122f302b261100
SHA512 5a3862f847c0573b018a452c6a13e43317278ee1c36b0d5b55114bc94f6b015c1230b6d7b0df389aee13bdbf2b345d0d09c4843e74eefb9cc19cfa68fe9ee0c1

memory/4584-343-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/4584-344-0x0000000000340000-0x00000000007E6000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json

MD5 6d4701e54c7df4e212adcd8a5803fd4b
SHA1 160d08231e8b59fc347b30e935284d674dba6fd4
SHA256 fab90317f059cc23c7731971c2aa7fb3760b6fa0d4045457b2fccec40020aa82
SHA512 b11a893a73401a423fdcaeb57eed9ff96011a609e6944722b154569431b425d6ad59f9b2943ff33ebaffdeedd5d68bcf32d63cee3bf9764d36bcd9d14d9f6ffe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

MD5 bf7f13087560f01e85854d28c23e39fa
SHA1 a889667540f0a43a5deff1ffb5227db7bb64a9fa
SHA256 c12dc5f43ae5f140cd9677aff3a480a6f4caeb64c1455e181729664c00f5aa3b
SHA512 1c537dd9aad40e283e34b4f6421b4b693001e11a0d2dc7cf5cc591ef70d3318f813889d3c1b77e3709ac5588c6f2fe1a4e3c28016650d133abe13a9e6f4e4da1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 c0a029a882be18f6208559a838e64b07
SHA1 ca839ec4f015cd5ea2e4c5f94e80662e9a4207a6
SHA256 f7c44e9029f739848fd1c1ee78c23ae95ce3f7b41d7dce90234d64d4bcf2ccd2
SHA512 040ea16b442a157397a05b5be1718ae19262879cf42c278a5fe390d0a3899e783bde45d6158afb719d706340d47d0b9324cf3a679f7f812a55f78767bac69953

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 1d49d2d61297f3581a53b2c8bc9922d1
SHA1 bcfe06a27522efb7db39ce81c22f5c5732e99be1
SHA256 f805f21e3f289c0a2723c306775dcb94432806c8bfb93b7c5384b7188152917c
SHA512 ca734e370e208eccb67a955047ad00ab2c485ff9cc034b80a7d2433e7730aa0dd6b5748c693e088de15864831e7b71d3c49c849c91f5b2ce5a6aeeef25ba110e

memory/4584-447-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/4584-485-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/1232-486-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/1232-487-0x0000000000340000-0x00000000007E6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 90e2f62de995bd1a4aaae4ade49a26b9
SHA1 6fb5feb4d3dd65f3bf62a60a71cad4d9e123a079
SHA256 1ae3d0302b137446e2191348ed21f153444a51fe8f9619249ba14624d8518500
SHA512 04aad8e5021178cacf2a45b960c9b18835e73775f237c4c5e1a3f4f42a56c80bf1fd3da54438efbba16e71853d69ea6bcc47ab222c2500449ed82946a06f0115

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 d7922bb8da410feda9fbc8e849832123
SHA1 72c25bba75290046cac72302a865fb1c9b690f85
SHA256 0d4642a64a871de6b99f43353c08fd8a3aa93e82d45e5019e6ef96a4287106ba
SHA512 d33c91976f7449b9e6fa8cceedfa3a45e2a45665560543ffd187379717243a23bd86c2999b8ae2e47a1f8a674f81ef3668cf7692732560658ebac0cafe2c94a4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 f788207383b84a1f59439ae930436bc9
SHA1 cb12089b6efbb8d7b460d59f4cd1bd68dd7ce1f8
SHA256 3712415467172ac552d74c1aa7005106c2851a71cd093b02ebe09b0b7302ae49
SHA512 ba34c0f112355a424621bc6c5dcfd8f0b0b48cb4e8d1faa6df0c5bb8377da4dfc1d363e4f18ff73b28b22f20dc0efcbd546895057897bd23a09b84403d1a90bc

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 de048050d898cf982c474046693624e9
SHA1 9a1af5fd1525cb291eca1b22636c03b14fca6c47
SHA256 4770cf05422df831f237fd7f9d56b7868369f81a86f45d36e8aa55e999c2d4dc
SHA512 fc46afbee5f1cbfb258f4f26b8aa84eb38d16816454bb6ad6d08fb5bba3a3df2e4d0d8376971c0f111e4b20bdd1ee836f1e48e2cb92c4cdabc40c8362da0cb5b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 d5853c848700c6188494cb47cf85f7e4
SHA1 376690893dfb33e80e77fdb7f8805ab172d97ed8
SHA256 62e3a0c944d4f5817239130281a4672b06a59e7d9deeacb91ac151b7cf918192
SHA512 314a5307af8e8e9235933b881242cc9e5a3ede4fc74cc50cc94a41b50c9c8ec98255d424439b573af6fcb42e263f5754ba8282d43e57cf15df88be6128ff3e50

memory/4584-730-0x0000000000340000-0x00000000007E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4

MD5 e33b2ddbd7db3b12b9f76a1662fe13a8
SHA1 b36ae8bce6af2ef854a8ebb262cc35d52dc784ae
SHA256 04d6323acc0d9cc9e3f9341b7f761124b4677333ffa6485b7b4440b4011e841c
SHA512 47b4277e2c7e9dda2270f7d26e76e78304c0998f55030ded3ffa51a3b6225bf4ad798bcdfa70f8e1a329957c5ca08f1ee8bf5dba2572098178ffed92caa83723

memory/4584-1605-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/4584-2188-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/4584-2802-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/4584-3124-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/4584-3128-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/5864-3129-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/5864-3131-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/4584-3132-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/4584-3133-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/4584-3134-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/4584-3135-0x0000000000340000-0x00000000007E6000-memory.dmp

memory/4584-3141-0x0000000000340000-0x00000000007E6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 12:05

Reported

2024-08-17 12:08

Platform

win11-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\b0ddec3c49.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\b0ddec3c49.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000003002\e57bb73e4a.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4928 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4928 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2092 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe
PID 2092 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe
PID 2092 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe
PID 2168 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2092 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe
PID 2092 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe
PID 2092 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe
PID 2308 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2308 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2092 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\e57bb73e4a.exe
PID 2092 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\e57bb73e4a.exe
PID 2092 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\e57bb73e4a.exe
PID 3632 wrote to memory of 3032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3632 wrote to memory of 3032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 4944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 4944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 4944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 4944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 4944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 4944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 4944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 4944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 4944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 4944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 4944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4944 wrote to memory of 1256 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe

"C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000003002\e57bb73e4a.exe

"C:\Users\Admin\1000003002\e57bb73e4a.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1924 -parentBuildID 20240401114208 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7ef9592-d131-4334-8731-d970d88ff382} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f561ab1e-611a-44cd-a335-9b9fb094e9df} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2872 -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 3028 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c0b05a1-b068-44c2-8176-7b5f5c482470} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3812 -childID 2 -isForBrowser -prefsHandle 3996 -prefMapHandle 3992 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f916bf77-2171-4b67-ae80-db9b48193152} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1488 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4604 -prefMapHandle 4596 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bda9eb8-c877-421f-83a2-3a6e22d52ecc} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 3 -isForBrowser -prefsHandle 5352 -prefMapHandle 5348 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {625d54de-82d4-4098-a371-ccf504a165f3} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 4 -isForBrowser -prefsHandle 5592 -prefMapHandle 5404 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3ffc7c5-da17-4382-8201-49226d856c41} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 5 -isForBrowser -prefsHandle 5732 -prefMapHandle 5740 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e04389f-4205-42c6-8ea1-a3bf8779c1cd} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6264 -childID 6 -isForBrowser -prefsHandle 5996 -prefMapHandle 6284 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16948aaa-4b2d-4d73-977b-08e293189448} 4944 "\\.\pipe\gecko-crash-server-pipe.4944" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49913 tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
N/A 127.0.0.1:49921 tcp
FR 172.217.20.196:443 www.google.com tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
FR 142.250.201.174:443 play.google.com udp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
DE 173.194.188.234:443 r5.sn-4g5ednsk.gvt1.com tcp
DE 173.194.188.234:443 r5.sn-4g5ednsk.gvt1.com udp
US 8.8.8.8:53 234.188.194.173.in-addr.arpa udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4928-0-0x0000000000A90000-0x0000000000F36000-memory.dmp

memory/4928-1-0x00000000779C6000-0x00000000779C8000-memory.dmp

memory/4928-2-0x0000000000A91000-0x0000000000ABF000-memory.dmp

memory/4928-3-0x0000000000A90000-0x0000000000F36000-memory.dmp

memory/4928-5-0x0000000000A90000-0x0000000000F36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 f92bc75eb1dd5151fcda78609b39c232
SHA1 4f1fb77fdd542f67d30cb26acca5747c6e01890e
SHA256 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379
SHA512 bca933fb39dc32726ca15f3ae6a3237b9b72f38b5535288d5062bd3b1b9cae8372f3ff1173785d4f7e6914af2a23689d2b41e0a8e2d291cf3c9da16ce6920bf6

memory/2092-16-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/4928-18-0x0000000000A90000-0x0000000000F36000-memory.dmp

memory/2092-19-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/2092-20-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/2092-21-0x00000000007B0000-0x0000000000C56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\b0ddec3c49.exe

MD5 308d0996727a81dfcb72a69e1a132108
SHA1 9b48220c70d23d2022dd33b142ba6ff8f878c7e6
SHA256 76a0ee2a9aca627171bad5a4be2029e87eefed2cbb7c63532c3d4f5ca53e2e88
SHA512 65503827ac96c6a81c6ab6a6428286b6b43fd78ded0ec255e21ca3d6f2f4ce8f2fb4f3167afcfd7c6e9b997dd448c937bea01b676f645f33dfe4fd9b88ad2c25

memory/2168-40-0x000000007338E000-0x000000007338F000-memory.dmp

memory/2168-41-0x0000000000690000-0x00000000007C0000-memory.dmp

memory/3632-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3632-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3632-49-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe

MD5 aa217dbf9cb8080176f0bae19edc6305
SHA1 1753b00e1dddb7d9635ad0e9d285907445cc70b6
SHA256 fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844
SHA512 0beae14810a852de0449675577854fe68947ffe30de89488e71b5ed8c63ac21d88d20b23d3614441aae7de40ad6bea12dbe4278af870defef85457478a6b56ab

memory/2308-68-0x00000000006C0000-0x00000000006F8000-memory.dmp

memory/2672-71-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2672-73-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\1000003002\e57bb73e4a.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2684-90-0x00000000008A0000-0x0000000000AE3000-memory.dmp

memory/2684-91-0x00000000008A0000-0x0000000000AE3000-memory.dmp

memory/2092-93-0x00000000007B0000-0x0000000000C56000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\857e70ad-1f2a-45de-8a5d-d608e1336b7a

MD5 470d1f4fe6092fecc9663d41e1ea532b
SHA1 72156105e5698abe55da49e969fbbc6740303af9
SHA256 a1a4d1c2d31c00663f1725d86162c04368f51429d55917ae2a19ed4b6cb4c3a0
SHA512 09d688e8f2597989e2eecbfcf643c2bda3297cd50f0a447a9300f94c8231b579e8374f8b30f4b1c5f694b8cef6d460e5dd5a9863c09b278fa1b8a5907c0c05cb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\beb2df4e-a7d3-474d-8245-51118eda4006

MD5 3040b0bcb79bd2d379022b9a6c3e4a86
SHA1 8112462c42176b60204c3760712d495c48bec5e2
SHA256 12739d6c3eab0b1d7d4ef93774a0d9965862eb553988174b5d1f82895bf2e0fe
SHA512 00c7a9072985dda927918c56172e1c4d411f30588a591257ef9fab76a6e0fe1d8a9d929ae5a118261ab04752ce963dd03f306ee2adf2afa2550b8c0c417c5248

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\59cd549f-269b-49ad-b027-d78c707af148

MD5 813e0a2c2bcc0528099af2f4c6de2b56
SHA1 a5ad2d423e3105af9b8c2b77cbe1c306176406d1
SHA256 1f93297f4cc794def2b6b1f38603761473e9e0bf09b655f4867d0ec39262c25d
SHA512 c72eb89faa33d9883f9f2bc7c6e48136a94958d38c25af5b49c3c73c58e39f20e1178f6e7af07af73c8477fff8af740fc8263a71c8e77285aba8aca0d057e7c8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 22ff3ec714061cf416f11f954a70ac04
SHA1 1a18f0152731ba4f42068e5396c4045da22e7bad
SHA256 10d6e00b715d08cf5ae68d1fc574ff95a7f55684ad2ecf164134e988dcc4f1fc
SHA512 a2f4c38cb8513c267e854f9d1c4be7b372773bc13e0ccd82f800a1aa1cd7cb6b0fd08b874e354b47fb49b1315c6646c5ee5a511b3dd7b89afab1e90cc7a947b5

memory/2092-325-0x00000000007B0000-0x0000000000C56000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs.js

MD5 aefa22505f7ed576596f16e62c38d359
SHA1 5a59c0a931d41264a6b657a5dc43295d1bdbd897
SHA256 42a6fc937695cecdf9b721709a26af0518ff4888c0474a743946428456226ac1
SHA512 5bf16a9ad75f88fdee8c8b4056cb083434c6c77590a6565ddc140e82211ba67335a76c7121d17cd91c49d4d26ba7ec30d25d89f789b1d7cf57b9d251c7999bfd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs.js

MD5 e77750a9bb64c4d6e4fe91f9075a2c32
SHA1 6399a4ff81f03b776438fe45711708d2de407724
SHA256 d6eff04f5394a72de86250804b81a7598b4304a2433fdb0a53f3406395354342
SHA512 80074651108fbc79088b62e0cce3218b03882bf9291dc2894681484099b28c3911e83671882a23b2120d009761caf4f4fc1db0bcb5d32af45e2fa051d1a5fe5e

memory/2092-394-0x00000000007B0000-0x0000000000C56000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin

MD5 aa480daa22721bad5570cff912fe1405
SHA1 73fd3d614c95027c7b774ed8b5958eca97bfb84d
SHA256 8cb9eb8f2a553ecd2e99374e5168dfbf716fa4d071729026d8be1959a088a119
SHA512 a12453d17448c5681fa21ae112956714dd16222113a1bb7ed2dfc3e8bfd1558f8990a9d4f8902b215e89f6d15683e03b1cf8ae947d91b666a305f354de7fdcc4

memory/2092-459-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/5368-467-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/5368-468-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/2092-469-0x00000000007B0000-0x0000000000C56000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 eec66f909559e3b976cb6b850fb7c291
SHA1 899c9b021f4d6ba43e11626d8000eb6cc5fce005
SHA256 b31d9da579ec9c0ca878f9ee556e861c7a534b8577f24c03dd0287ec8aa166da
SHA512 50416f02f6243ba513246aa380bf9be8f6ee4b26a7daa139521ad647043e2dcbb5b154f057aaea5afe2977b314a6acc8eb855c053e1ac42f6438143d70a6f248

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs-1.js

MD5 d6c42aef4e49e660dcf7327789a750b0
SHA1 3cc00960a8f19db7e34d4499df58ab97eb0be250
SHA256 f58ba012c822fe2f3bc4ca4fb31ba2ba11d42b884706aebd3cc247358f7db74e
SHA512 1cc5bd78f6dabd64a3a0ba8cacc61612dfde64a26ac76cf0fde89fa0adcd7e98ace46eede04aafce22bb50eab17b003141629a93870c5656bb145d7fe0017dbd

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 e685d6b98ec2c2f0999d20cd953ae1f5
SHA1 b03bbf59312de30ee65b27f320dc9a2b59b860f8
SHA256 1ce2587d565c3716d10f37413fb0f16bead38096f5612eba182ce2ff09d562ee
SHA512 b081625b7973030ed3767fe09c61609f2db6aec758f423b0568011e8185deec3fd3325677e3e4137497387c5611915b583e8fc5b6078aed3cf9f37909550b1de

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 63b2f773c7596a55de1f245b0530b72f
SHA1 241c9ae25ff6e41bc273b2320c0fd0e9ea3f8798
SHA256 7527acf8ab2602e576ca7e70ab391bfc36c60ad49e807ceebba6ea6f2b52280e
SHA512 8f8db765ce9e50d637a6242273d9edf7618d2b2b9374aa6cf8bd36b7869267702afd332583f3a09571e747ca3f3e89c5f9daa94eceb2da44470fb8bc2753bbd8

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 e61d239c68fd1e9200b04c176dc71936
SHA1 693ee3e335219fe97b19b67431db07dc8b3abf9d
SHA256 65e526a1d4f1a0e03b3abdf63444251495afd82f85f8d98a541f3e8f3c0b8abf
SHA512 192fc18d1df4d82020ce9199e6a26c4e1dc1b0a471a16260b285b191ef13fd98dd834eb2024dbd3e91c5ad2dad836f25ef8659168bcc6d08e39411f2f10c37ed

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs-1.js

MD5 b96aac92e3863f23bf23c6bdaf66ea5c
SHA1 ea126ce8a6257092b9ef8d43fb92e85f174968e2
SHA256 2de07512dbdc49f8e28c94d82b9e1a989a3f5c86f10ad7ce8e4f8d6978298639
SHA512 58225a10775c43e5d533ff95bd12d69423f704878dc243f350711216bd192cd6a8e91d4823b11849562d9c5f2fb550d5dc0b85241065405ce341817d7ab77146

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\sessionstore-backups\recovery.baklz4

MD5 70e321c4b68641550b790af7dc1141d1
SHA1 b14d24fe204f6b775efc54744336e689c4683db5
SHA256 8ef78fb111cb86c832ffdeda5ce1773b143416bc8b29240ebc734e26ea2d0971
SHA512 834c581b18b1c0ab8cb86c7e34597e77aa0c9c7c142881ab064c893c9ca8932a7491546cb49d67d5847e6e6948e4fc59581093e8bb031b1917d7ecf78c7f3b2d

memory/2092-1014-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/2092-2278-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/2092-2861-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/2092-3201-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/2092-3207-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/3312-3209-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/2092-3210-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/2092-3211-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/2092-3212-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/2092-3213-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/2092-3219-0x00000000007B0000-0x0000000000C56000-memory.dmp

memory/2092-3220-0x00000000007B0000-0x0000000000C56000-memory.dmp