Malware Analysis Report

2025-01-18 11:33

Sample ID 240817-q9el2ssbjl
Target e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc
SHA256 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc
Tags
amadey stealc c7817d kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc

Threat Level: Known bad

The file e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d kora nord credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Checks computer location settings

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies registry class

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 13:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 13:57

Reported

2024-08-17 13:59

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5706e7601d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\5706e7601d.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000003002\26cc9b36e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4760 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4760 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4760 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4804 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe
PID 4804 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe
PID 4804 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe
PID 4740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4804 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe
PID 4804 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe
PID 4804 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe
PID 4696 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4696 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4696 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4696 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4696 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4696 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4696 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4696 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4696 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4804 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\26cc9b36e6.exe
PID 4804 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\26cc9b36e6.exe
PID 4804 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\26cc9b36e6.exe
PID 3056 wrote to memory of 4352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 4352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 4504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 4504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 4504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 4504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 4504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 4504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 4504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 4504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 4504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 4504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 4504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4504 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe

"C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000003002\26cc9b36e6.exe

"C:\Users\Admin\1000003002\26cc9b36e6.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdcc4e11-de57-477f-ac7f-b08d213f3446} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f95b41b-ab2c-4016-a361-bc35b9ccfd76} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1656 -childID 1 -isForBrowser -prefsHandle 1616 -prefMapHandle 3388 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {187ca067-3d10-4ecf-8bb6-be11892ff8cf} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1612 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3592 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c26d0c2-3a52-4726-9f37-6d95ef246927} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4852 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 4840 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {793c64b3-00f9-43ec-9509-a155311275bd} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 3 -isForBrowser -prefsHandle 5352 -prefMapHandle 4488 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ab6a342-2140-41e6-b984-f1892cc36d88} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -childID 4 -isForBrowser -prefsHandle 5500 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef74cb61-f1d6-4ecf-9a52-740816c66820} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5724 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e98d6a5-6c10-48e1-8504-79a5fbfd01a5} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6240 -childID 6 -isForBrowser -prefsHandle 6220 -prefMapHandle 6232 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6575c7a4-203e-41a8-81f7-b0aa5f6c6e5b} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:62222 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 139.54.240.44.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 127.0.0.1:62231 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/4760-0-0x0000000000430000-0x00000000008E3000-memory.dmp

memory/4760-1-0x00000000779F4000-0x00000000779F6000-memory.dmp

memory/4760-2-0x0000000000431000-0x000000000045F000-memory.dmp

memory/4760-3-0x0000000000430000-0x00000000008E3000-memory.dmp

memory/4760-4-0x0000000000430000-0x00000000008E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 320bfe32e64a031b70edd32097fd148e
SHA1 e4f4aa216b8775feff342ff10ac78710f328f75a
SHA256 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc
SHA512 9962cd1fc6f9fc2c8823ed2d73bcb99a01ee52c01669771a1364b2414e605a63d077abd4c950819227c2952442bca0dd4f81086fb51dc9553bfa3a31ed1a1962

memory/4760-17-0x0000000000430000-0x00000000008E3000-memory.dmp

memory/4804-18-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/4804-19-0x0000000000CB1000-0x0000000000CDF000-memory.dmp

memory/4804-20-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/4804-21-0x0000000000CB0000-0x0000000001163000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\5706e7601d.exe

MD5 f5d4a5d65de3574a5088acbde245b775
SHA1 29ce38d8fdc2cbf64ae80481843bdbd6f7085015
SHA256 857eec247df3a7adfbb82e574cb7333fa522ede95ce9b486fb349a5f9455c063
SHA512 0214b30e1f589658dab52a37dc1a7c89df22a167306568e141048f3b33560796e943dbe4a8e9b009df0ef6a8fb369ad4ab95a498426c643de0690c922a6ba657

memory/4740-40-0x000000007360E000-0x000000007360F000-memory.dmp

memory/4740-41-0x0000000000590000-0x00000000006C0000-memory.dmp

memory/3056-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3056-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3056-45-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe

MD5 2f76d8ea3e1db9164e420c4d574aa44b
SHA1 ddeb21ff46fc9e6a94363035de6f3d8aab5f740f
SHA256 fd6cdb68a33740d70fb2454f8af23b91d379405b61ce858a804635859877c20d
SHA512 3cab2a539cb3e20dc01741923762c5cc50e07dd270d585c5c0478de8db087d9b723b39c819e3169b7a4a55cac1efa40c36b651d31a3eda7b6547ee6ec07108cd

memory/4696-66-0x00000000008C0000-0x00000000008F8000-memory.dmp

memory/4156-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4156-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\1000003002\26cc9b36e6.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3616-87-0x00000000008E0000-0x0000000000B23000-memory.dmp

memory/4804-86-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/3616-88-0x00000000008E0000-0x0000000000B23000-memory.dmp

memory/4804-96-0x0000000000CB0000-0x0000000001163000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\044cbd08-d508-4b08-87aa-0ef1b72066b1

MD5 9d2c84d2fc9f9535fb53811af88edfcb
SHA1 81f47c2f571c2d60a0fd886995283c44697a95a2
SHA256 bb8e138507f5d887f7af3082eb96bf4ad7eefdadd43f3eb1fe16ab54e4b8a5b9
SHA512 ddbdb1e5e5a11da968a3d4143b37ab9ad8c867e76a403ed9dea65c4cd365eb9376be0ba127fff178a2b22074ca49a51806eb2f22dc96fb055ba7c0933b5c5bd5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\cf8f3738-c89f-4b54-b3cf-d3e3f9e2ff01

MD5 ec40ef27a777851d31b69c7f53240d61
SHA1 6b8e69cf677bb2f4bc5ef81a001309ae4675b487
SHA256 a87726f1eeb1c035ad9f959341f2254e96914bd6b1d5a68a9548a5f30923d3c7
SHA512 dc2974ad794133821bbacb629a2f2209765d6a57fc5a3dc9206833e8cf6b7a47e1ce505fdd7e52d6e337cdc5d666da5fd7682e483eb1a37fc0f9e1b152f5d6e7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\7c85cd46-6c03-4f29-83fe-0017a5c34844

MD5 27db8a4a5ca469d832fbe15efa368e77
SHA1 6524d7c84083e5fee4963f7d91734dcd416b506e
SHA256 57fc878407244358f1505dc37184b57c0510007e75918ce922ec3691f5017f8c
SHA512 598b3c1d571c103d6825464ceba9765cca6ce1737a982b119809b541ba53b5c2e55da35ccb4069d4fad371dd1b56a55cdeb60c0426e1705ab208844d4a5e2b22

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 e25b81a03ebe8101df72e0e0b1bcb07a
SHA1 d4bfdfa0aa1aac057a6318dc2d52977ce509ccee
SHA256 ecfad0c4fcf1fcafab4162c7832c13ea79617e2858b0240ab0613aad884bc8a4
SHA512 ef49b1cf5c0e0b5593717ced72cf86159511eaab68423cbdbda9fcfdc04059501a87b55e71d16f69e874c51bdc64e1a0285199edd6b5981f71a3656c4fbc0cba

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json

MD5 240e6a86f051483241b9514ee6477f53
SHA1 0c5db0943b5e0dec7dbd5765f46065e7d41cbd4d
SHA256 a17858529fcb65235aa5c0e255c643dea9968684f4b9a4655477680dcd408fe4
SHA512 b086bbcaf605b6032f47cd1d3020fbb38ce0a3be6dc1bc1026f22eb83d1bccc0f129e0e72a889d1d1f8d6b7610b9290b291ac127dd562789eabb3f9def14f3d8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 c7973bb6fced68a26ffdfabb609c604c
SHA1 fd410fc8d4631e92dcf6c5e05ee11745e7f77925
SHA256 285f54ac457728a0e1ec41f8140653ab9b47d8f4e921c2531bd59634a29d28a1
SHA512 99bfd17dcdf7781596c01d6ca68b0a58450761bb102432e023c1b324592fff11d64ff1b5f09132d3bf1bb12eaaaec41e0b4695b38d9b7d36bf5f76bcbc5d9636

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

MD5 a9e679d7b535c2b15eb700ad601d90e5
SHA1 718503845c2f5b6251f4bf44989d7d317f3d22e6
SHA256 26b63472c6a3a2a4808edcd7867a3a827864c259700697f2429fc8516a20edff
SHA512 731d1fd7e8f82668dd845bde6fce383e277e1b907f531c764366d410b4b37a7c66ec1ffa8beb2d3d104358a51005a1849457e29a7a365c7bd1dcb5fccc03196b

memory/4804-404-0x0000000000CB0000-0x0000000001163000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 4bef4eb08ac759070f1c4dd972a43450
SHA1 17bffc9a80ebf666b52fb60931bfd773fa9493f1
SHA256 0d5191d652fa9ab38f9d99aec5413333ff9cdadbc99552f3e1789596d64d1288
SHA512 ecb3e9e46467eecf739fc714962b7e2e4ffaa578e4f50ec43e8919cdfd3f9fe7c5aa09a2077a02ac2d5d026b9dfcd1877592713d90fb732a4a35a63af2f609aa

memory/4804-431-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/4804-452-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/4804-457-0x0000000000CB0000-0x0000000001163000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 cd854d6fd1b0267c26f1c6d7b2c0172e
SHA1 466f142aa3415e8263f45a440e89c9f3d49b72dc
SHA256 b69d6501b5daa9fa7011207a69d1eaf8cd3b5441785c63b78f83b1d17ed8f87f
SHA512 c76a79ea9da6eacda8c0f5a5260713376924cb156849ef2a8165fa9bff5ff4e7cf7e9da8dcff281ec947af6d1b72b578298ee90406916ea536753edf3a00c658

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 270cdf2c6264de3891131ab98ecec8dd
SHA1 22a5763bdd588e32591e39ac07f8ab0912078f0e
SHA256 0630c6b25bbcac460aea99c643e1cf56d618e0e329d478b64922ae45b21b463a
SHA512 b78d4c61ac013b201bfb8fe45b0b7e335d1f710c2b100a577ed1e38e56f8239610b0618d18b52575becee8d27bc13d3b84c736b8f01d56ff15d3e9f18cc08fe2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 26b5110db856b1a0459f22f24996ed4c
SHA1 a131bd7483ff65709849917f1c52fa9a2e3b6602
SHA256 1c09b539c8e079713306302882f34804ca06e36517f723e6a0a79a1b70de76e7
SHA512 009cc325d8c6b9f91f6954cf4a5c69ddb7de901de4d4954ba160f9cc682ce3f5c318d2a9b26061e93e91b96062e79365f0103fadbff27eeb24cecfd15c65f1c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 de048050d898cf982c474046693624e9
SHA1 9a1af5fd1525cb291eca1b22636c03b14fca6c47
SHA256 4770cf05422df831f237fd7f9d56b7868369f81a86f45d36e8aa55e999c2d4dc
SHA512 fc46afbee5f1cbfb258f4f26b8aa84eb38d16816454bb6ad6d08fb5bba3a3df2e4d0d8376971c0f111e4b20bdd1ee836f1e48e2cb92c4cdabc40c8362da0cb5b

memory/948-602-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/948-635-0x0000000000CB0000-0x0000000001163000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 fab57dd42b1b8d5236a6174d7990dcee
SHA1 a1e7b803ed23bf329b1adba46f780809e547ba0c
SHA256 b14506d55acd4659d89e1fa19eb99006dcd4de3042a15d0b51093143d53283b9
SHA512 986bb5ce079e30b62935c35aa40228b5a3c0f877fcc00c4fa4f7080b798665424e5f7fb44ca4f40a50372191b288bd1f1f9e41ec9bf07680e9fbae6d8ab38769

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 1b02c6eabf455b9b1da623779b29bf3f
SHA1 582a5a2be399c62126a3a645cdb7c2f18a1a0168
SHA256 3e4b54752976c68b688ac905f6d34dbd7bc8dcbbe52224097e22521269646440
SHA512 7dc36b3470ab0bd612b9137ffaa7791d686e0b9006c4c1084b4c46a964420a3857bc523d2dcaca09b2f9f3cc397323e45b55063248ae6ab72260a9942ac2bc1e

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/4804-883-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/4804-2203-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/4804-2655-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/4804-2661-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/4804-2663-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/4804-2664-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/5448-2666-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/4804-2667-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/4804-2668-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/4804-2669-0x0000000000CB0000-0x0000000001163000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 912392ce0401f86148b6ba62f560e394
SHA1 cfed865ceba5dff37959553faf49ef259b93d491
SHA256 25283781553bc688d952812117d3aedde3e2fb24d74580f746eb6311c0db2db8
SHA512 ae2bd1bab3c4889d47a653db178a719dbfe2a02aa456780e1bc9093999324e9285d310d6f629f31397056bba464ba0416b2cae78042fe92eb13de674195f0500

memory/4804-2678-0x0000000000CB0000-0x0000000001163000-memory.dmp

memory/4804-2680-0x0000000000CB0000-0x0000000001163000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 13:57

Reported

2024-08-17 13:59

Platform

win11-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\c770c2ddc0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\c770c2ddc0.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000003002\26cc9b36e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1916 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1916 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2840 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe
PID 2840 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe
PID 2840 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe
PID 4088 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2840 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe
PID 2840 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe
PID 2840 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe
PID 3764 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2840 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\26cc9b36e6.exe
PID 2840 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\26cc9b36e6.exe
PID 2840 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\26cc9b36e6.exe
PID 4524 wrote to memory of 3572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4524 wrote to memory of 3572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3572 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3572 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3572 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3572 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3572 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3572 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3572 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3572 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3572 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3572 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3572 wrote to memory of 3484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3484 wrote to memory of 4552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe

"C:\Users\Admin\AppData\Local\Temp\e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000003002\26cc9b36e6.exe

"C:\Users\Admin\1000003002\26cc9b36e6.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d126d77c-7488-4cfa-8c4a-57191eb7ea3b} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54ca7373-e735-49e8-b3e8-0bd06e9dcb24} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2864 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 2972 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f54fd2c-7d1f-4b0f-b88f-eade99aeb323} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3816 -childID 2 -isForBrowser -prefsHandle 3808 -prefMapHandle 3804 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fad72809-a6bf-4d7e-bf44-bd01242e0f17} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4752 -prefMapHandle 4748 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdb7cefe-90e4-4aa1-a784-80bc52169477} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5460 -prefMapHandle 5456 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7c96e71-9f25-4c2d-923d-608a530eae23} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -childID 4 -isForBrowser -prefsHandle 5608 -prefMapHandle 5612 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42f88a3e-a564-474b-90f2-94421ddb22f2} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 5 -isForBrowser -prefsHandle 5444 -prefMapHandle 5780 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32d663b4-49ce-4371-ad3b-5efd32074b31} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6188 -childID 6 -isForBrowser -prefsHandle 6228 -prefMapHandle 6224 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {313a4ca3-0b3b-48fc-ac96-bf7047d56446} 3484 "\\.\pipe\gecko-crash-server-pipe.3484" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:49885 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
FR 216.58.214.174:443 www3.l.google.com tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
FR 216.58.214.174:443 www3.l.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:49892 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
FR 216.58.214.174:443 www3.l.google.com tcp
FR 216.58.214.174:443 www3.l.google.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 35.190.72.216:443 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
FR 142.250.201.174:443 play.google.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
FR 142.250.201.174:443 play.google.com tcp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 52.111.229.43:443 tcp

Files

memory/1916-0-0x0000000000CA0000-0x0000000001153000-memory.dmp

memory/1916-1-0x0000000077AB6000-0x0000000077AB8000-memory.dmp

memory/1916-2-0x0000000000CA1000-0x0000000000CCF000-memory.dmp

memory/1916-3-0x0000000000CA0000-0x0000000001153000-memory.dmp

memory/1916-5-0x0000000000CA0000-0x0000000001153000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 320bfe32e64a031b70edd32097fd148e
SHA1 e4f4aa216b8775feff342ff10ac78710f328f75a
SHA256 e2d525f0baa075074acbcbf8183e9b2c0d8d253efed8d698d600e61374e37ccc
SHA512 9962cd1fc6f9fc2c8823ed2d73bcb99a01ee52c01669771a1364b2414e605a63d077abd4c950819227c2952442bca0dd4f81086fb51dc9553bfa3a31ed1a1962

memory/2840-18-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/1916-17-0x0000000000CA0000-0x0000000001153000-memory.dmp

memory/2840-19-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/2840-20-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/2840-21-0x0000000000A20000-0x0000000000ED3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\c770c2ddc0.exe

MD5 f5d4a5d65de3574a5088acbde245b775
SHA1 29ce38d8fdc2cbf64ae80481843bdbd6f7085015
SHA256 857eec247df3a7adfbb82e574cb7333fa522ede95ce9b486fb349a5f9455c063
SHA512 0214b30e1f589658dab52a37dc1a7c89df22a167306568e141048f3b33560796e943dbe4a8e9b009df0ef6a8fb369ad4ab95a498426c643de0690c922a6ba657

memory/4088-40-0x000000007347E000-0x000000007347F000-memory.dmp

memory/4088-41-0x00000000005E0000-0x0000000000710000-memory.dmp

memory/4524-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4524-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4524-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\20b970ccbe.exe

MD5 2f76d8ea3e1db9164e420c4d574aa44b
SHA1 ddeb21ff46fc9e6a94363035de6f3d8aab5f740f
SHA256 fd6cdb68a33740d70fb2454f8af23b91d379405b61ce858a804635859877c20d
SHA512 3cab2a539cb3e20dc01741923762c5cc50e07dd270d585c5c0478de8db087d9b723b39c819e3169b7a4a55cac1efa40c36b651d31a3eda7b6547ee6ec07108cd

memory/3764-66-0x00000000007C0000-0x00000000007F8000-memory.dmp

memory/2512-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2512-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\1000003002\26cc9b36e6.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1192-86-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1192-87-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2840-88-0x0000000000A20000-0x0000000000ED3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\353dccd1-dd81-4f62-92ac-e17f2ffbf69c

MD5 8a8eefd56238cccc46f460dde20937df
SHA1 7dc1726787aad68d4d7e603c025ac20a30cd6732
SHA256 7306b50f7fff516a5e5e45db6018b27dbf2c64163da03db0838e5a9f8d86d094
SHA512 4b25d5f60056a1ca46c45604eada8e0fe1bb22999cf2d3c9fc313862759093af7d0e875827d297996815af7429dc20aa9f2a0eac2359b9d1c4fb1480c98329c7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\f84d8aaf-bf59-4d15-b109-6043f6fd3e02

MD5 ea069ad35ed29030aaa1ceb7d36a088e
SHA1 e29004a235c3958f6327aecdac754db38c002e7c
SHA256 ae0966b064aa142a42a3a55e5bf1477dc45d857ce77978baa646fafede401d4c
SHA512 4c1ccc5083598281b0b83549f97b42343ca2b1517facc0bbffc6757bc9ac6a8724eadf8e92e913441974df536c23edd13f98a6b071562654725676130ab973a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 832e540f7f36f19ecae81562609a27d1
SHA1 87658f87efea828ec8c2ee0d12ffa7a7aad99a61
SHA256 8af03cc0567ec692d71489110afff64f6a5a8deb6fc4e22c9d707f4f30013a17
SHA512 29a8c318c9dc2341995460d8e6f8e949e15797caae1d8b4e7ff492f9d692082c09fd7457c25fb96e4bd78ce2b29a2aca3b05728994c9a3e9c8abd1334b0018c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\22070b57-2324-4c3c-bfe1-cdb8cce6002c

MD5 e1173962eba83d1e7ed8763135c5a3c3
SHA1 22493bcf1c4a05e4151e965a7fb79dafa07b51ca
SHA256 74aba0407b6560946e7b21e7dd98669e7e0741ff51250ff63c077846f6f4f2e7
SHA512 2c16fd76a1f96765b619bc9bac2b910606a4a7557bea262982992e52c4924e748c3a135d08328bcc414e42060843dac196693abfb0adbae4a8c8bec42c488cf9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 2d6fcec4ba506893d2a77dbe40ee4ea4
SHA1 ab2a594d4f76ce8c76806ecca871144bdbb64b40
SHA256 67d8304fd2bbb5f4edc766983e98de3d17c74b9d17f589d271cb249d2168266e
SHA512 dd529307f600c7ef8715a0b32d6953ea6b23b55312310a7989e3600982868c9b0b29748fdded7573770bb8e17caba99ac60b77dfb3bf05775754254797bb2d26

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin

MD5 92d71f2e9d5676bf851efb45a050a84b
SHA1 b2ccc4b09dccd02b510a690d8f2d882df789dfb6
SHA256 1219690142b5caec119219b2e2c1ba1434eeb7b89f51caaa33536e2857b5800c
SHA512 2b78da735412a78c9fbf5bfeb1df99350ed39fde91829554f5fd5de26c7c61f154c9b69ae7c5df44b388a0420adac14ef26036a40979707abdcf1d297302b206

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json

MD5 2e8cb8760d95044f510e4b5f37b2a5d6
SHA1 c3b16fd80dd2040b4f02b767700131e610eeb9e2
SHA256 719ed94562a58c2d8db39672aa0b569ae3ba793aa0fdae6ceb33037e6047a9b9
SHA512 f809faf61ba672d809b437144054c1828b2daa1e0adc5855b6340952bdb7eb90213aeff86fd0b67aae07387909305b0929eecd966d0a434208824f91d9f483d4

memory/2840-356-0x0000000000A20000-0x0000000000ED3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin

MD5 1cedf3e0302e83aeca9f82e96718f603
SHA1 163915c1aa3bad9386dc281fb92e85a997f1657e
SHA256 52d5a1009c4ad9e53f33c72679d7ad573806997073eede5db691b065db8c3ccb
SHA512 405c4d84a0e308cb41bacaae809fe547a235f96feb3541bb53d61656271fbc58f08de315fe77d8ba8e857f743b37fbcf3f335c896ceaede86223b9f4f3b3e532

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs.js

MD5 6f1b1abe5c46d0aa7d0129c449c11cde
SHA1 d6e029752b1165e43b16f5f2d04a9acbc84814ba
SHA256 a299db76303809840f752dad7f1cf7dcf5e2d3453b18863dcfda18a8eb03b6a7
SHA512 38284a0d3cbbc5b4b056a11f4796ace4f98d728f17b212607b003386a4dec528506c5bd2b1a3378ef18060e746506755d4d9209a7f7894032aa843810f280365

memory/2840-420-0x0000000000A20000-0x0000000000ED3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs.js

MD5 19fc2b0f0c25d36c458e323453171d24
SHA1 36b5cc633e76365f9098e72648d08ed545217e00
SHA256 190d04bc508e91818925e6d8450ce898a1bb0313b264a66e7f88ed221079c2ce
SHA512 76bf9a2577aa1a0713ca215e260968f7370586fdc35c9f0698032328a42d258b93e5d44bb82dedcd01d86a3cf9bfd7542bba9476786ef47069e3790e75bc428f

memory/2840-471-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/2840-476-0x0000000000A20000-0x0000000000ED3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 aeb47254679758c151705335f90f3041
SHA1 8af0b9eb32fbece767c7b33d253884da7c846ab6
SHA256 2c6fcab9396f9d61f4ff4a801e530b022f65ecc851319e99857e2ba302ec0cf6
SHA512 478f6a68624b0191512202cc4892e7a949bd12a0938f29f85dbcf6285b0a5cd1b86a3c75a62706731ccc16be035394894caaf935561b45201124b84715d25d37

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 23f802a30b768ae173464521bc463b2b
SHA1 a1627ba6deea8da4009038dc6e1127a7cfd5b5e9
SHA256 4b6114936dc508d66cb2e7a206942c58a9bd563591fafff897eb522f6eb84a22
SHA512 7ffc643c8d7d32514b8cf0e342e724de6c70d36ca57be35085fb54c4f4f9e9717482251536dea93633027f25250bdf9fc74d161529a7325561408bb3515eefb7

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

MD5 4eb5852b4b6b6eb895d4f290dbfc1f79
SHA1 320e34b54d6f8fd8d029eabc54a8fd1f7fa78be9
SHA256 55743e41374bb00edffb9901cc2c570818c3d5ceac818d9de2b84e7f02ffe7e7
SHA512 3d7f58ecd3109f1d1242a6c6d535338727a49b2f20750004d24987a6de98e42ca1d87dd990fa1b2dc13a16ca886a0c04a09620c0e06faef2fa204c5bab05b725

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 ca2ede2511c2a5b6311810e6aa88d7e1
SHA1 bdaac797675a7eef104941457bbe6a5b6be3ecb1
SHA256 06c86827b4d30172bf02b57018f00bd12569e6761d370ab37436ed8672002a17
SHA512 32a91c38e85beca4343e218b87bc223e96c9154b72f71bfa709eaff9c2cb4d8c22685ce76ccfa3fc24dfac80cf1522ba6683696a1f26d305c550120490839508

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 b1ea79a0b0d6c33bd0ed458e9f9ac375
SHA1 4aaa2979972c1e34d7df2a21d39d745c1d30d057
SHA256 8c82cd08d92a1f73be93b8184fdefe6e0e366ff203165b7b7c0b33e3edd45eb0
SHA512 8874ad21fe9d368d594f23b8fcec7a2c5f7e870c68ced35f56796c249eaa98733461eed817437b0d8ad721b523c375d0e17674c7b06ef3a396a953c884c380f8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 f4caa5ddd051006911d8be199fc601d1
SHA1 4f0dd36ef4d88128512a15cc532ee7e211705550
SHA256 2281cea4df5e6882253649cd823efed8e145be0f4682780f814915d8e8b80f13
SHA512 c992454e2dc6ed7e38c0a2798a5a893fb8c36527e1c7fc332cadd3e61e307f74997a55eaac1579fcb552d14ffaf0ed7bf55aad9f89010e03e688216a11040391

memory/4904-656-0x0000000000A20000-0x0000000000ED3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

MD5 64086e9a813359328c205d73f454cf82
SHA1 e174e7e5a48bcd776616d3dfb8fc8af587fbbc87
SHA256 61351927f825c1ee39b06cb01f0450746d325b170fd8b166a17b742dde2e470b
SHA512 21d5c2493cc210d9714a37eb0e456c7c77c17ec69dea7848beabe22b1d1a04ab647e1784e7908fcdf32a83ed938748add010e85ca34c55fd63339ac269c06942

memory/4904-1277-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/4904-1283-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/4904-2395-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/4904-2632-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/4904-2641-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/4904-2642-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/4904-2643-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/4904-2644-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/4904-2645-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/4904-2646-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/4904-2652-0x0000000000A20000-0x0000000000ED3000-memory.dmp

memory/4904-2653-0x0000000000A20000-0x0000000000ED3000-memory.dmp