Malware Analysis Report

2025-01-18 11:32

Sample ID 240817-nehdcawapp
Target d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a
SHA256 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a
Tags
amadey stealc c7817d kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a

Threat Level: Known bad

The file d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d kora nord credential_access discovery evasion persistence stealer trojan

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Identifies Wine through registry keys

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 11:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 11:18

Reported

2024-08-17 11:21

Platform

win11-20240802-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9ac3a22ea.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\b9ac3a22ea.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000003002\fc92cd8874.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3064 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3064 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3572 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe
PID 3572 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe
PID 3572 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe
PID 4792 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4792 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3572 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe
PID 3572 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe
PID 3572 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe
PID 2276 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3572 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\fc92cd8874.exe
PID 3572 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\fc92cd8874.exe
PID 3572 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\fc92cd8874.exe
PID 3828 wrote to memory of 4156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3828 wrote to memory of 4156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 3860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe

"C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000003002\fc92cd8874.exe

"C:\Users\Admin\1000003002\fc92cd8874.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99385c36-f859-4d44-89e7-b88b312ba4ba} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c99cc97c-07ae-4d30-85dc-21b9e7491dc7} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 3196 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5624262a-f975-40a5-a2d3-60e4dcd76664} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3684 -childID 2 -isForBrowser -prefsHandle 2932 -prefMapHandle 3056 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b94bf5e-d973-4f7b-b049-12ba56244a8f} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4940 -prefMapHandle 4936 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {452c54e1-992f-432a-849b-13f5b5b8f8a9} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 3 -isForBrowser -prefsHandle 5592 -prefMapHandle 5588 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1ea19b6-15e6-4a5c-b59b-9514035ec57b} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 4 -isForBrowser -prefsHandle 5892 -prefMapHandle 5896 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85a3e757-a2da-4921-aa4c-16680ba2c529} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6052 -childID 5 -isForBrowser -prefsHandle 5968 -prefMapHandle 5972 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94199de7-0bb8-4213-88e4-533a715d5f89} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6248 -childID 6 -isForBrowser -prefsHandle 5896 -prefMapHandle 5968 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab61f012-fc7b-41b6-b9e5-a3657aa14d47} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 8.8.8.8:53 47.249.226.44.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
N/A 127.0.0.1:49836 tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com udp
N/A 127.0.0.1:49844 tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
DE 173.194.188.234:443 r5.sn-4g5ednsk.gvt1.com tcp
DE 173.194.188.234:443 r5.sn-4g5ednsk.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 35.190.72.216:443 location.services.mozilla.com udp
FR 142.250.201.174:443 play.google.com udp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/3064-0-0x0000000000CF0000-0x00000000011A2000-memory.dmp

memory/3064-1-0x0000000077556000-0x0000000077558000-memory.dmp

memory/3064-2-0x0000000000CF1000-0x0000000000D1F000-memory.dmp

memory/3064-3-0x0000000000CF0000-0x00000000011A2000-memory.dmp

memory/3064-4-0x0000000000CF0000-0x00000000011A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 0341c85ca79dd94606a80b217ccb3e60
SHA1 8c62747c0170ffb2006b8152cde98bf254a685c4
SHA256 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a
SHA512 afc2258f90fe4343f4af4a5d2f598958ccc83e6d58339693f9a0f03b3e31ce70ff3f9d927a4592c2e5537e2bd6bd7d0bf731efd5c56779a2378bf2676098ba91

memory/3064-17-0x0000000000CF0000-0x00000000011A2000-memory.dmp

memory/3572-18-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-19-0x00000000003A1000-0x00000000003CF000-memory.dmp

memory/3572-20-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-21-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-22-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-23-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-24-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/1364-26-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/1364-27-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/1364-28-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/1364-30-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-31-0x00000000003A0000-0x0000000000852000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe

MD5 0507df47dc52b6ee4395525827a98fda
SHA1 324a3b2e4241c995ae9d071e92ea100bda7f3b33
SHA256 7ed6196256eda92f5344983a3c530aadb2cfc59a728438f363a2f281003e2cea
SHA512 0ecc42cd98668a92f2144bfe8027669ece942f3e2e78945fd49325f65184d9df88f6eb76f5757b70ff8953388b9d07d38862ca91c223b62797f50b5eb9e37d28

memory/4792-50-0x0000000000490000-0x00000000005C0000-memory.dmp

memory/3828-53-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3828-57-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3828-58-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\e26b810f61.exe

MD5 87dabb17ed3d14423cc2b23fe66bf66b
SHA1 b63310220a1659e56bcd154c4a39158a1209e388
SHA256 0bccf21db72dd2155dce24feec1b47fd4a07ea6ebb5a69c4abed33cbe2469ab0
SHA512 88e7a5af6286344de7b4ddb2ae369e9ada39c75a762edfbf6b4ad2eca6fe6da0c750ecf7ff6d76c05bb1796c65798ada3dd2c4d62d3ab7cc0285f0ea805f8b61

memory/2276-77-0x00000000005E0000-0x0000000000618000-memory.dmp

memory/3616-80-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3616-82-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\1000003002\fc92cd8874.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2348-99-0x00000000000B0000-0x00000000002F3000-memory.dmp

memory/2348-106-0x00000000000B0000-0x00000000002F3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\cad8dbc4-4adb-4fff-b2e4-15e1de463a81

MD5 6376210477ed8db6fe088b1d96d27899
SHA1 3fc1ea66bf4bd41fe7fb8e0ef57da2e3b3d56486
SHA256 0594f619e20e21c46a84d1628268fc14a50b4c25f2012dc8a9d64644c3f701c4
SHA512 592a9aa02600b8e67d1423cd0cf53ca33657111c8f03befc7c202c3813ffbf93d814c95f2c6d37d9e24ef33f3a2dd6a37e972301b799851b799a8a99bb67392b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\4d74db23-448f-409c-9116-69f19e154010

MD5 e425ae50ccdf6b57a4366e1d0e1ffd07
SHA1 16e68876ad36d05bd7cf06ed3747972d321e2e20
SHA256 e4ef40ecb2a9fbb42613e11240136d92ab704f9654c7e28fb8808fa54d10239a
SHA512 2540dff294ef7f8e13cad32ced1d6ed3fa30fc44acfd0741e2dc6ed98ddaaf87f58508cab2560bcb9a30856eaa6ac3ec279b14be61fa9455fbdf783c079292f5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\11c14a6d-06ee-46d0-aac4-39057fdde566

MD5 0e27cf1763907b77141ef4d6d9808341
SHA1 815ab9069ee4688c69af717dfb52485f40b8be5e
SHA256 88050eb22cea8e00c49991803bc8e00dc044fad48a526b71cc948d5d71391919
SHA512 4e265b5c675cfd2fe42a5e479f30715c5fe80123939e7d4d386eb0769e92fba44aa30b8eb4641590def80694ca722ecd709d2202ba8e0d008da699e986afc7f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 1e3e72d7cac25a9fd88a1843f2f0f2da
SHA1 baa3db9aff12bcdc23b64a19e8db8ddd11fe572d
SHA256 aa464c47f75afec9d313df38cf5a184cebff7df73637506258ef73e1c8bb2748
SHA512 a09702523720f81edd329807ea0cb7a1b895dbe88f9fe526ab9e86fe105b90ab1566bdc08272c48872ba3e182bc068a6c2519d17cfdba77df58e073233d3348b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json

MD5 756e74ee83687ae05ef13ca0c0a0b97e
SHA1 50707c73ad9c732c721f2c397ae123f5f2956a43
SHA256 3a1c4b92ee327576b43211c8a98cda493e12c919c9bc1c76fd68fe33b6835315
SHA512 4d337cf94149eb752ce883384ccbeaae6f83bdf0859f0bdc5da2d9291fdb95e41245c414b2718812c4953d6226305cafbb4b79c84b489678b6dc0ecf789a9581

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

MD5 5262566db28be486f595dbc9b5fb29fb
SHA1 7a0ed2893b8fc753a3ce67acfca0adf2d3cabf57
SHA256 eac6c3961261353249bd8db75089971b6e9e1eec6cb9ddc57abbc658b6380dc8
SHA512 575d5f683cb2ea54a94f75cb7ff9014898467ccdb80365f62333bdcd0ce2ed1543dd19b492e534602f1c82c12a68a73e29a59b783700aca19bc4bd6cfff48475

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

MD5 da0fbb855cff65dbbc2b51b66b961fa7
SHA1 069a1a50e39e415b4f3f03e2b93a810ea113ffc5
SHA256 46f3ece108a788661f5d9badec63342e97505a25954eb0f1f62805760fd2f80c
SHA512 26a5f21f3f3b20cf93b9a6eabe1cb35951e49e8656a015a224f0f3c895704bd6bd037895a8876f350fdc1092610c89bc434f1aade3ada5db48379f179f853ed1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

MD5 b32cd2971dff7b4335fec328985d158d
SHA1 055776a8acdb9d9fa79ad2d425d478ed794047dc
SHA256 903bf4b03dcb97539549735405b9a8e533334781fc3c235c6ed0920ab29e32a9
SHA512 d03e5aefa9101ca26c7160392dc7c6355ec0f8a35017677d343f92f5edf9a70d7ea026f96a9615233db23fbc3817fb668d5ff23c00ca68f50182ada238c2e176

memory/3572-449-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-470-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-475-0x00000000003A0000-0x0000000000852000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 4ec5014992935e6b92797b3caabe0d2d
SHA1 524b51b93bd4ac30c564d60a1311a43195853c9c
SHA256 6e318c82114b45a85c81999f54709acac5331b30a48c21f2cfc08d8ed7f4dea3
SHA512 1e0d1ab31ec23cb6d471d51758ac093d4ff1c6cd49f4a3bb2fc047011dbe639ad016455c495bc8f6252f56dd367bb326d0374b9cf3dd695b074a4e8ffedd2123

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 22aaa96d73aba020499a8f22319e62f5
SHA1 e40496f8020028c4997689f31a600cc519a818d5
SHA256 51b88b1b96273583ff82742f9606201b62359c54bd4acc59fabae678effb1376
SHA512 c773b54e04a7b9e2efd537bda353b6d72bdc557936b3eaf5ac7af19cf4bf3cba821af398ce001183b669af13823b3c9cb66a7ac10143766face4394346d10b3c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 84d9fae7b7855e52f1308f7169488ce9
SHA1 959745a8af2e4240e8affbe0d9847df7c016c78f
SHA256 dab25b6a7bd090e0993d4ac8b2d8940566f8f4889a7e1c6b1763644f6b379112
SHA512 e3000076ff4f6ab55f428afbeb56c1689fb109cba16929f4ee225c5d76128dd6eb9756f3ac1c8b53a4846112837c2658664c11669903b5362283a0fe184ff46a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

MD5 1f011ededd60870e96e1ddf08bed7dd8
SHA1 604603569e4a8a1cc513bfa6f9de1da47221fc6b
SHA256 c381546c088661927900dc5708bee933f8cb15d58e978b731cc1d33d63bd411c
SHA512 92cfece3deca8b535c9f4d9ede7a0deeedc6e20c6b8b02aa7c5893a1ec3ccae150c81dac18c2ce7a77137b2dfddaa94a15d48bb56bd2fc3354c1836c11f1ccd8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 0e61967d603ea60b5fb8c0b29996c9a6
SHA1 95bf62a632a3147610a96837b201ca7cbc38dc1d
SHA256 8f236ce873cd9f4f2ac8bb09a5ed75a4c956f44658e7db8de88f80d1f3b40bc1
SHA512 84a13758297dbf403bff361e4b001b3fb0ce5ca8eafd6ce32c5287c229c74afc04a8b79bf2727cd38133720148e16698e817089e2b053a7aaa041d6c024f8f6f

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3572-1497-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-2613-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/5956-2619-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-2620-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-2626-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-2628-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-2629-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-2630-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/3572-2631-0x00000000003A0000-0x0000000000852000-memory.dmp

memory/1480-2633-0x00000000003A0000-0x0000000000852000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 11:18

Reported

2024-08-17 11:21

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9ac3a22ea.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\b9ac3a22ea.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000003002\c5156435d9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4088 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4088 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4088 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1736 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe
PID 1736 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe
PID 1736 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe
PID 4364 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4364 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4364 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4364 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4364 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4364 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4364 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4364 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4364 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4364 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1736 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe
PID 1736 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe
PID 1736 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe
PID 3228 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1736 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\c5156435d9.exe
PID 1736 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\c5156435d9.exe
PID 1736 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\c5156435d9.exe
PID 3440 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3440 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1308 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1308 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1308 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1308 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1308 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1308 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1308 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1308 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1308 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1308 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1308 wrote to memory of 3612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3612 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3612 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3612 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3612 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3612 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3612 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3612 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3612 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3612 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3612 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3612 wrote to memory of 1768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe

"C:\Users\Admin\AppData\Local\Temp\d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000003002\c5156435d9.exe

"C:\Users\Admin\1000003002\c5156435d9.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6d31328-9dcc-4024-8227-57c8f0593629} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73fa5a19-2e63-4106-ac4e-d25fc975c983} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2700 -childID 1 -isForBrowser -prefsHandle 2808 -prefMapHandle 3096 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2db5b05-8187-4296-93c4-45f538d593a3} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3556 -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 2804 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e399b850-b8f0-450b-96ef-1d38a7e3059f} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1248 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4236 -prefMapHandle 4228 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7537a940-4344-44f3-9857-9f2dbc0b5539} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 3 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa9663f0-decd-46ad-8eef-23601a6ac560} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5960 -childID 4 -isForBrowser -prefsHandle 5804 -prefMapHandle 5704 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bde6f6dc-fcae-4bfa-8322-a0c9b60e3e82} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6068 -childID 5 -isForBrowser -prefsHandle 6076 -prefMapHandle 6080 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0025d06b-f17e-43ac-b00c-61a886350334} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6360 -childID 6 -isForBrowser -prefsHandle 6276 -prefMapHandle 6280 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {228fd4a5-3f16-430f-8e0a-e06c8b53eb5f} 3612 "\\.\pipe\gecko-crash-server-pipe.3612" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:63123 tcp
N/A 127.0.0.1:63132 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 139.54.240.44.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r5---sn-4g5ednsk.gvt1.com udp
DE 173.194.188.234:443 r5---sn-4g5ednsk.gvt1.com tcp
US 8.8.8.8:53 r5.sn-4g5ednsk.gvt1.com udp
US 8.8.8.8:53 r5.sn-4g5ednsk.gvt1.com udp
DE 173.194.188.234:443 r5.sn-4g5ednsk.gvt1.com udp
US 8.8.8.8:53 234.188.194.173.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4088-0-0x0000000000D60000-0x0000000001212000-memory.dmp

memory/4088-1-0x0000000077A24000-0x0000000077A26000-memory.dmp

memory/4088-2-0x0000000000D61000-0x0000000000D8F000-memory.dmp

memory/4088-3-0x0000000000D60000-0x0000000001212000-memory.dmp

memory/4088-4-0x0000000000D60000-0x0000000001212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 0341c85ca79dd94606a80b217ccb3e60
SHA1 8c62747c0170ffb2006b8152cde98bf254a685c4
SHA256 d64d4f34e806bfe57f907f4576c7d79ca36abca05e3884b1f1006dc93f55f07a
SHA512 afc2258f90fe4343f4af4a5d2f598958ccc83e6d58339693f9a0f03b3e31ce70ff3f9d927a4592c2e5537e2bd6bd7d0bf731efd5c56779a2378bf2676098ba91

memory/1736-16-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/4088-18-0x0000000000D60000-0x0000000001212000-memory.dmp

memory/1736-20-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-19-0x0000000000221000-0x000000000024F000-memory.dmp

memory/1736-21-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-22-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-23-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-24-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/928-26-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/928-27-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/928-28-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/928-30-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-31-0x0000000000220000-0x00000000006D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\b9ac3a22ea.exe

MD5 0507df47dc52b6ee4395525827a98fda
SHA1 324a3b2e4241c995ae9d071e92ea100bda7f3b33
SHA256 7ed6196256eda92f5344983a3c530aadb2cfc59a728438f363a2f281003e2cea
SHA512 0ecc42cd98668a92f2144bfe8027669ece942f3e2e78945fd49325f65184d9df88f6eb76f5757b70ff8953388b9d07d38862ca91c223b62797f50b5eb9e37d28

memory/4364-50-0x00000000001D0000-0x0000000000300000-memory.dmp

memory/3440-53-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3440-56-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3440-58-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\fc92cd8874.exe

MD5 87dabb17ed3d14423cc2b23fe66bf66b
SHA1 b63310220a1659e56bcd154c4a39158a1209e388
SHA256 0bccf21db72dd2155dce24feec1b47fd4a07ea6ebb5a69c4abed33cbe2469ab0
SHA512 88e7a5af6286344de7b4ddb2ae369e9ada39c75a762edfbf6b4ad2eca6fe6da0c750ecf7ff6d76c05bb1796c65798ada3dd2c4d62d3ab7cc0285f0ea805f8b61

memory/3228-77-0x0000000000BD0000-0x0000000000C08000-memory.dmp

memory/3588-80-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3588-82-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\1000003002\c5156435d9.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2492-99-0x0000000000BE0000-0x0000000000E23000-memory.dmp

memory/2492-100-0x0000000000BE0000-0x0000000000E23000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\c18663a0-fd3e-499e-8850-0a5bd12994ef

MD5 4261f843d8331ecf64632295e67d752d
SHA1 a8b8e3c1a68c9e0bc4577553e07f89a94a1b8520
SHA256 97e7d4629522fff486fe6f1bdf060f2778bf8e089f5ec781107697e7faad2d62
SHA512 146f59c3ee03ea302c33a1b1314c074c59bef74f7e23fe350a1c9f228eb2d5d70ce6904fc814e8ca11d77a496cee797398ca0a3a6a15617a8f3878442516bfee

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\273790fc-411e-4ec7-b75c-e9538d5951fc

MD5 c99b3fb2fd90843dc42112afd4bfa215
SHA1 65ca72faa3e4246a76392323ede998620f8811b3
SHA256 0d113730cbd7bb52219d2ff3056c58e1d1600cd6c5d6bad4af339d1f61abc1f1
SHA512 bda8c4d76d967ccd57d5bffa0f7ffb2d6c7adfc664c4a1d2876a0783087232e37de479d8278a4125d608fceb698bf769a71e7c88f876dddd5007e4d000ea5d4c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\12cfcaf3-b62d-4a25-9822-03547a7bf72a

MD5 1642cf4781544fd799f1d662673399d8
SHA1 177be10ab4cad54fea314bf99a619163b72f1bb2
SHA256 ab76db14a69af800660e6bbdd76700f533a0a82a941b01dc4c5def5296f30228
SHA512 b2d4d426ffd595778c4a6b940c6ebc30956db05099610aeecf1468a7b84286f0e379e32a286adbbbf8f2a6f5451356e6a69369b30f60e0459d9ccccc7ee62ef2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 66cac86b0866085e8467b297b985b019
SHA1 8249eb72403e957f043cf2ae622b5ec1d9e7f301
SHA256 311329bea01ec9de3b23d410c5a16894b2b3e51c3efde77ad54ab58febb7e12b
SHA512 575918e681e2c3ea0f22129b6022f4fea0f5693e3e20644405ccab37ef2b138503a1c1f01c23ff090c98a64420a9e062f79c3f84d98d6c070b957df5da7eeb4b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 4995e46da175c1f71a1e5703fcd6cccc
SHA1 d74af11c5a9c9060d0803ec491173f431ac138a5
SHA256 90735429b1d9330e13ccf2ff954652431a4d312ad96f5a70d1c197100e73cc2d
SHA512 3cd3c8a98643693f6b7b92658fd156b95f873fcd3b25c4240c276974dbad81d42550a90e24fe095b4ad2f7fa542a0d21e980aa71073b7fcc0641645cc065ef4a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

MD5 35e72f0200720c7fc2b3111162f7181b
SHA1 5a03d5f5a9a7cacf5367bead99f581460b34972c
SHA256 99a560a668645c09eeb42f94f57de1c36ebce15277e91ac65a7fc9353e577e06
SHA512 e375806fb4ca5938efb9e2712c04b0c89d7558e572a39ab1f66c6c6e0a301cd10b2ab44acdbac70376e61ebdf3c2d170ebd432c76045c3cd1e16a66bc6ec80a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 94856fd9e3db97fa251a72c1dd44841b
SHA1 3ac1385ebb06b6d61b14292ce842751824477b2c
SHA256 09eeadfa4979e5de3bac45abfd4f7b116ccc1d559c823c50ece6cc915182dfa9
SHA512 4f01ac999ece890163abb7cf2afcaf8ea4d3363e42b612b2cfc689b8a34e961ede102a4e16620ff2d0336d80a80178d64a0458bf6002f82cae74f799e90b4a23

memory/1736-433-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-460-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-465-0x0000000000220000-0x00000000006D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 d490993e0bd08ccc74ce6327da04f552
SHA1 fc361481012c7b5bb17b95d137d515cbefbe2d94
SHA256 673d53e0604785689fbba8ea8d641b5621001dd7caef8160c3fad9f4a6157f55
SHA512 bd7c6bf43c5d37ed46a8a1faf8848fc6aaa29df3f937ab72e596a4b8cd0d5a6682c719ffffe029f580da56b0cfdff450ada0ee0a3a8f477b521065c07c2a5bf2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 f1eb561f309f111d3a4f2cedbbee18a3
SHA1 1dbbcb09cd75c856de3f6e332231eb2f1325808c
SHA256 87b9d480d0dc127c3c73916bf3ef452465ce64b274ab4754e05c1f2ac5274906
SHA512 26f42c416e28ff3a6142e892d5225e56bbb23cb0a7d0171bd147e1d62311717cacd33e039018849c42d105ce80ef85db103382a208eea4218edd881b7f9bb2d6

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 9295a3517c3390612fd597a721ff38d1
SHA1 97db4807e8d7f2add790b236b27eb81f2f1e4da5
SHA256 74960ecd4f639d6635a75d5fbf7e5d2b105c8ec7bc5c22030afaaa8a6f674cef
SHA512 d6ed7ebce68f0ce8272b0888127021868fccc82f14047eaa636b88f814102ccf3901250bbe02569d41a91eadf39bef8f9942b389a39d36e735ad7f5c076e7bed

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 07e31c2d60ead47061b5fc83f2b642b8
SHA1 52fa79eb6d0e0c0e1b35bb57eda58ad4120eae94
SHA256 fbfe4317fbab1dc0d7adaf8c6a30e6887493044ba9e504a0a54a832d7eb9fa79
SHA512 872d02d88ad075f52afae26af9b87a013c682f98dfa3607dada3341bfe11bc22dedf19ddf77931edb5046dd62d36f27980955bd7ca0eff29ce2e794884a485b2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 72be4f4cb3d98abca2a56b90b790af5b
SHA1 16d67627d5ff440ceb145e37d7a61cf93f8db4bb
SHA256 bcfbed334497a9fc2fdcbfdbb8da854a576a6533021aca3620392091b92b5f5c
SHA512 3082b31709c3ccb22e99cadff08e0dcebd4cd84191ba7e5f20fe859f4f75481de6c2d3e8d959d1da26ddf3742ad3fb252c686a07b852220fc629fc8ddaeb8913

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 b7e36e8ab262b9358a5da7361592af55
SHA1 fae91f63eb6933b355cd8161d8cecd3ff536ea3b
SHA256 f8a4df55c69adc8a87a8f79c6c214fb84500c3975e2809b01db00ad8e94f40ca
SHA512 25eaf051574389254ffa844bd27a68cc2c5ac9f928f7d0a552cd8be39eaba4b27061233524bb16212b22c7df935f7aef547f8e51bf208ad6374e366b48fb5eda

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/1736-1115-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-2468-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/5996-2551-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/5996-2552-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-2553-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-2559-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-2561-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-2562-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-2563-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1736-2564-0x0000000000220000-0x00000000006D2000-memory.dmp

memory/1968-2566-0x0000000000220000-0x00000000006D2000-memory.dmp