Malware Analysis Report

2025-01-18 11:32

Sample ID 240817-r5yd2a1djb
Target 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060
SHA256 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060
Tags
amadey stealc c7817d kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060

Threat Level: Known bad

The file 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d kora nord credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Browser Information Discovery

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 14:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 14:47

Reported

2024-08-17 14:49

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e1598c2793.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\e1598c2793.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000003002\2b6a1acebe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2576 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2576 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2340 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe
PID 2340 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe
PID 2340 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe
PID 4124 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4124 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4124 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4124 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4124 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4124 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4124 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4124 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4124 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4124 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4124 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4124 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4124 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe
PID 2340 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe
PID 2340 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe
PID 3044 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3044 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\2b6a1acebe.exe
PID 2340 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\2b6a1acebe.exe
PID 2340 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\2b6a1acebe.exe
PID 940 wrote to memory of 880 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 940 wrote to memory of 880 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 880 wrote to memory of 3928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 880 wrote to memory of 3928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 880 wrote to memory of 3928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 880 wrote to memory of 3928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 880 wrote to memory of 3928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 880 wrote to memory of 3928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 880 wrote to memory of 3928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 880 wrote to memory of 3928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 880 wrote to memory of 3928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 880 wrote to memory of 3928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 880 wrote to memory of 3928 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3928 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe

"C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000003002\2b6a1acebe.exe

"C:\Users\Admin\1000003002\2b6a1acebe.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e81ad4d-16ca-4817-8eaf-e9ef16b76085} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3205e69-f08a-4e66-bbd1-b7995308bb25} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1568 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 1680 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6127927b-beda-4d43-ac28-7c2cebc50ed5} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3456 -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3500 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {614871e0-0d40-4e0b-8630-9e6892a1ef49} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4624 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4736 -prefMapHandle 4732 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3be69ece-bcd2-436f-a0d4-fb3271bae74f} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5112 -childID 3 -isForBrowser -prefsHandle 5096 -prefMapHandle 5092 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56a6d52b-3951-4b36-b4e9-74abdcde7526} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 4 -isForBrowser -prefsHandle 5260 -prefMapHandle 5264 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c353ece-f2bb-4086-8049-25cf0309321f} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 5 -isForBrowser -prefsHandle 5452 -prefMapHandle 5456 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7444de64-fe40-4ba9-9299-c13c1f0364f8} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6088 -childID 6 -isForBrowser -prefsHandle 6036 -prefMapHandle 6064 -prefsLen 27181 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00d896b4-1556-44c5-aa8d-8a96b669756a} 3928 "\\.\pipe\gecko-crash-server-pipe.3928" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:49918 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 139.54.240.44.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com udp
N/A 127.0.0.1:49926 tcp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/2576-0-0x0000000000530000-0x00000000009D7000-memory.dmp

memory/2576-1-0x00000000770D4000-0x00000000770D6000-memory.dmp

memory/2576-2-0x0000000000531000-0x000000000055F000-memory.dmp

memory/2576-3-0x0000000000530000-0x00000000009D7000-memory.dmp

memory/2576-4-0x0000000000530000-0x00000000009D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 19d4b831e5dd11605dedad6373ca39b8
SHA1 5b6058633e97812425c3d02b35478d3a03c27188
SHA256 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060
SHA512 872d63031169322a829b766a452abae14f38ad9618bb0a52aaa8079ab178cb659a6de03446767f72762dabb6738e050daa3d68f9f8053be8b35e7dac58add9e9

memory/2340-18-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2576-17-0x0000000000530000-0x00000000009D7000-memory.dmp

memory/2340-19-0x0000000000061000-0x000000000008F000-memory.dmp

memory/2340-20-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-21-0x0000000000060000-0x0000000000507000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe

MD5 21f570b2a3b04bc8c2d031c296413458
SHA1 72c65436b31fe8d27c00eca9acf9590c7d6fd222
SHA256 a4fc1e5a680d5701279a61ada37dc8b19d302c7113e70324caba4156a0f9c2ea
SHA512 d0cfc5dfb6d34ad66db0ffc469ea1276f60fe87a58e307e7e2ce887c37413bb09a5fec4b425f4bfef4b8a3a4e6da70e2434f8424797e38bd40fdc1604a8ae874

memory/4124-40-0x0000000072CEE000-0x0000000072CEF000-memory.dmp

memory/4124-41-0x00000000001E0000-0x0000000000310000-memory.dmp

memory/940-43-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe

MD5 1248fcc89f1bcbaa44ea9c47ec824d7e
SHA1 a6bd2f5b2ca96bebc8158dd435ffff8d02ff6550
SHA256 343da582cbe90421cadbaadbbead3532ec26d82f9b3d297feb8b669d71754c5d
SHA512 a96870d51390ab21b188b5b7ba6d3e030cf78fd6d6c75eb93f2dd7f9d1869715db59b894a4165c31b69bf4f05ffcc18a7443df3266145d09b3f873c6a6b984c3

memory/940-53-0x0000000000400000-0x000000000052D000-memory.dmp

memory/940-55-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3044-66-0x00000000001E0000-0x0000000000218000-memory.dmp

memory/1216-69-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1216-68-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\1000003002\2b6a1acebe.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1800-86-0x0000000000B90000-0x0000000000DD3000-memory.dmp

memory/1800-87-0x0000000000B90000-0x0000000000DD3000-memory.dmp

memory/2340-88-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-89-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-99-0x0000000000060000-0x0000000000507000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\e0950232-cda5-428a-a6c2-54e97bda9928

MD5 6b6311a975184b67dc9e47c415b74b48
SHA1 c68a599e411b83b2e75e692554cf579a6ef6ba9f
SHA256 e094af7ef7e3732e29e56d100b7064b03e6b54d11db88445152cc5e197846d53
SHA512 c9e0b352185bc8e26bcb11cfb4d674cbe5922d95cc95fa74478aa19e7a1e4e7add1a7b9ce33796896ea7921384467004b841430e59bd19faa86475b1c6037cf8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\c6e2767e-d883-4672-aa42-e4b3cd6e85d9

MD5 bcf007f2b609cce3f15b4c85c10fd4de
SHA1 f2706734cba181b8b5d8d6092f1a300f1f9578c3
SHA256 783bff9ad9f1f9cba82deb1f9d28c7207258dd080583bdf3d4c3262cb07bbbc7
SHA512 d3ef6ee652def7b7b881afdbb063e8279dc683f1b3c77ef303e6993339ab2faac77083c0f41c5e715faed0984f63596b7ac269cb7d2fee927bfaa1710eaee4ce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\0562660b-6b15-4624-ad0b-c9d97b5301e7

MD5 0f1b40522a96cde11ebe015a8e6ef505
SHA1 4609a81e86a4f92994ac576622de052d8ee4de94
SHA256 fbbfec382f12b1c87288bac5fef49a149b2580603742293938057a506feafdeb
SHA512 15814e69c0c94b50745272c9bf64b6fd8b86ac1805d22c9aeb445ed6301ec2aedaeb3fbe2440d671cc92bf98346383e4583bcde0c4ebd42c9e3a18de3d869d3d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 757948b58bc6e17a57459197c5b93529
SHA1 1259e41db790eba61c9769cf1779f7a6aca27581
SHA256 fbc7c65e5014a5bfc5ac4fc7452661d7eac50570afbbd12e88071a88a4f45aa1
SHA512 723e8317fd13fc292643b6b5829c9d68c507a01c73ea29e586f2bf053eb67970a64c2a7d118e2d5b0f100ebb5df2c02622b3fc0f39a13046fd84127dce4a5767

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

MD5 53d9d751888b438f775798472ac44075
SHA1 09a1ec9588e9ad6af5a5e575c7d01957f6067217
SHA256 f0a434d936c25daebd0620afe23ee01777db07b0c851a12638e56c414d023287
SHA512 bdf75006358f6b05796ae2a68787c0bcbcb9cd593ef6bd05aa6cbd5f4e77b6b5dec4ab0319360a6931a8baf1e666c24926db6aeb5e7d6f595f227b5ef79912e3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 738c7207e0f00d008863aa02757dd8f2
SHA1 ec3592732cc22b4d3d384499d8eff52c013d3348
SHA256 fcd0550c759d3581a983e497852eb14252cb4a85839e64bb13173e20322efabb
SHA512 9cdf2dbcc7dbb63cf6f8739a5202653a2ebdb9b80db4a8e64aec4e19d7afed3a2828e04be3324c22fe196c38a7459e008ee0ca2b1c006e582d806d0ef87f0584

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 718772d86509ff18e006b37af917e44c
SHA1 1449de5bedeb3c304c795cd05e76bc45473faea5
SHA256 6d4590416a1b8436d101755e98f9c5657ebde5fd5540cbb939a7c38b1df95248
SHA512 497165ef686ee58c51baa14951c7badb91495f58e1dd319a650c90e9f8dc91d271d14a36f857795aebaf2f46b7feabc854b1193c99dbe26efa6cb80eb46e1e0c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

MD5 52ebdad21d38e280e20785aa1e9f491d
SHA1 837e9713b21df223fb733c76e5771fe992edbb0b
SHA256 c10254a94dcc5c8d56eb1a07ec8356a14064ee42313686c1fd460ebc1820c140
SHA512 24c574f6f3a504f24feb3fb8c53c97b36cc94fdcc2434fcb26c957cb251372d69d721dee3054fe1cf707dcad95ea1444c862c7b6110a56442831ad90d8701ad8

memory/2340-397-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-452-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-459-0x0000000000060000-0x0000000000507000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 9fe52cc79b46d42cc5efd1fe1f05394a
SHA1 f8af6d03a758e48b5acdaea5f56aa4b179cac7d6
SHA256 23da754b16ce7716f9b79ae9f5027042cb5b8d286f1567a4759b427b8b39249e
SHA512 cc92178468317ffc6062c08cbad937406265b61675ce2351291cf8cad8067aef6b28939cbd5d0b6f3b0f4c2331bc46c11cccba3e971ed7f028480e03d3099592

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 c20ed2029f83cc2170ec03c229e3fc91
SHA1 5f2854ef073d24e401e615ad0eb451dd936d524e
SHA256 e4f22196299c6da83f06c936aea29ab73a3986ccacdbdaf9f613a53fbb2653ea
SHA512 c184d28d1d5f21bbafe1095ba8508c262f98e1eef3e1c25c136fd2cc19204ca46d9d904cc2e17282abe4f621a52cdb3cceac4e87c1c1c029949443b592441238

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

MD5 4147377aed2abb40d51db945f551668c
SHA1 1b23006713e93694014fb78f18238b9217d93701
SHA256 72594e4a1844a082529c8076eeba33599982524c81a1db1d743932ad80301d1e
SHA512 0f354713f03e52e99bfe4b9ef458b114062ad8dd9f0068988c2c6d6b1ba8edeba8292ab94e75884d6fcf3654eb3dc958fb3863ce7324dfa43888d8c146844ea9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 f48baf42064cefb4e06d886085c7292a
SHA1 5d723c8a3fd090257fd2dc753ab8c474ca6ddf6c
SHA256 80d7cc7de0cf76c1522731eb1029acf162915f9073429274591fb09c9d91c148
SHA512 22f72092f2bf851c2c99141b3ab5de1238a9a4c3af71eb4c0403f0db0fa413fbbbd02bc71cd7d929531814be6c26baa09294d01216ee7afb66ed5cccf12060f7

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 9cfe4d16a8fc5b605eab93a5673dd38c
SHA1 3c707a174ebaee1ab0bb4a499b15204c6381229b
SHA256 15bbeafa17fee29e3355f8adcae0ee37642561f430b96a6459c8cf9ef39f1598
SHA512 853244ebe4b965e6e6a7f1ca8b451bb7981014f08fdae36f64ec088bc3a93f5c05b1ef45ccf782d258443801129668d24784bca8f80bb13553efb0862d5fc3f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 9714ea81be29667ff7397cd8b531d7f1
SHA1 4643e193c67023fff7c284e3b07b986bdb2acb1a
SHA256 07c25b77402d93b8c63b9c7785236f7f5f09896e1c23af0f7d05847954aa6e3a
SHA512 4febd4d775e07ca254b37d0546a87acd403f2d5641dd9175e8967d8853d44c6dc1a5e4f57d66446b41198e9ecbc529b06904732a610322ee1d079df63c849b75

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 2dd40d09eb798ce3d854493f5a081068
SHA1 caf9985063b31117d2482bc5e4106769d46496ca
SHA256 d8b7eacdafd26a27393b6ebe603dae2e9cc3a3c097dd639503a8beba41acad00
SHA512 7bbe19ca146c77ae422547b853fbf1edf04b2f49c622eae83be189f1ccd42fb6cf2402c57eaca0742e7bd175caea11d1aaf8735b797a06df6441ad6ed6a32db4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 a3fc9538e0c2ea309840670f9714c4d5
SHA1 9a85123b12cf41cb24102339a7337b507ad51c6a
SHA256 ccce78fb4a3551b16cf8ebab57bf77490d12adae2b6afd0b94ace2790dbbe090
SHA512 43f6da7d436a001723f9a50fdc905cb632f77de1bee67e6479c3dd3f3c2357972a546f215ba87d68fe8f73b7dc304fcbde58afe8cc8cbb366001ae8ac382e63d

memory/2340-891-0x0000000000060000-0x0000000000507000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 aee6bdef0af9e47a950088b8fb05405f
SHA1 ad5597e7e4a9d2bf88639fff504fe6477a81ee85
SHA256 f0e4402bc1ab9b6a68633f761de8a14b2f5b1599ff3450133dd158c610da93c2
SHA512 fea954713093b81b5e92540a5fc097021f035bcb2782e9e8d5616085770d49ea71b272bffe3b9bea888cfa82996e78db2a341ce8ad436fd5f06c7995ab3471db

memory/4284-1098-0x0000000000060000-0x0000000000507000-memory.dmp

memory/4284-1144-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-2000-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-2970-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-3205-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-3211-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-3212-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-3213-0x0000000000060000-0x0000000000507000-memory.dmp

memory/4472-3215-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-3216-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-3217-0x0000000000060000-0x0000000000507000-memory.dmp

memory/2340-3223-0x0000000000060000-0x0000000000507000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

MD5 6f3c5a0d36457da150944b911c7b294c
SHA1 72628525906e040552d4b9ca9b97157f1d81a450
SHA256 4a24757dc1214ac42df12d525493ca631319d2f8ab120d56e22a0bac144ead57
SHA512 f8ca4b9a137e8017b7a00aa52acf0d3f7ecabcf0ba291a9924a05ec4bca8ff34c9011b9e0a68363e44e347f8841f548dd85c9d2cc2cd18bf47c5eb2c663edb03

memory/2340-3225-0x0000000000060000-0x0000000000507000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 14:47

Reported

2024-08-17 14:49

Platform

win11-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\e1598c2793.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\e1598c2793.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000003002\2b6a1acebe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2964 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2964 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1752 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe
PID 1752 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe
PID 1752 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe
PID 668 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 668 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1752 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe
PID 1752 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe
PID 1752 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe
PID 1136 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1136 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1136 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1136 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1136 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1136 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1136 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1136 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1136 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1752 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\2b6a1acebe.exe
PID 1752 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\2b6a1acebe.exe
PID 1752 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\2b6a1acebe.exe
PID 960 wrote to memory of 3324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 960 wrote to memory of 3324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3324 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3324 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3324 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3324 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3324 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3324 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3324 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3324 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3324 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3324 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3324 wrote to memory of 1048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1048 wrote to memory of 3004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe

"C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000003002\2b6a1acebe.exe

"C:\Users\Admin\1000003002\2b6a1acebe.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3c181cf-a857-43b6-9f50-14b4dcc4e416} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a7e0155-1d6c-4ba3-aea8-09e5dbf47d01} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 1 -isForBrowser -prefsHandle 3324 -prefMapHandle 3296 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ceb2f84c-6bb2-4bab-8b2d-72cacc511860} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3096 -childID 2 -isForBrowser -prefsHandle 4044 -prefMapHandle 4040 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b090283-51cd-485d-92ba-d45bb2cff57d} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4864 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4856 -prefMapHandle 4852 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {836c2dee-f468-4365-bad2-9274f6c8f33d} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 3 -isForBrowser -prefsHandle 5492 -prefMapHandle 5472 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fe939dd-061b-40bf-86cd-400b5a4de462} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 4 -isForBrowser -prefsHandle 5768 -prefMapHandle 5576 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1053e807-3d61-4d01-a435-cf1b4d2062df} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5988 -childID 5 -isForBrowser -prefsHandle 5912 -prefMapHandle 5916 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07552a6c-d39a-40ba-ab96-d5990a066e39} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -childID 6 -isForBrowser -prefsHandle 5884 -prefMapHandle 5732 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5a0035d-eea5-4262-8868-9ff433624269} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
FR 216.58.214.174:443 accounts.youtube.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
N/A 127.0.0.1:49873 tcp
N/A 127.0.0.1:49881 tcp
FR 142.250.201.174:443 play.google.com udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
FR 216.58.214.174:443 accounts.youtube.com tcp
FR 216.58.214.174:443 accounts.youtube.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
FR 142.250.201.174:443 play.google.com udp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/2964-0-0x0000000000600000-0x0000000000AA7000-memory.dmp

memory/2964-1-0x0000000077D46000-0x0000000077D48000-memory.dmp

memory/2964-2-0x0000000000601000-0x000000000062F000-memory.dmp

memory/2964-3-0x0000000000600000-0x0000000000AA7000-memory.dmp

memory/2964-5-0x0000000000600000-0x0000000000AA7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 19d4b831e5dd11605dedad6373ca39b8
SHA1 5b6058633e97812425c3d02b35478d3a03c27188
SHA256 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060
SHA512 872d63031169322a829b766a452abae14f38ad9618bb0a52aaa8079ab178cb659a6de03446767f72762dabb6738e050daa3d68f9f8053be8b35e7dac58add9e9

memory/2964-17-0x0000000000600000-0x0000000000AA7000-memory.dmp

memory/1752-18-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-19-0x00000000006F1000-0x000000000071F000-memory.dmp

memory/1752-20-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-21-0x00000000006F0000-0x0000000000B97000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe

MD5 21f570b2a3b04bc8c2d031c296413458
SHA1 72c65436b31fe8d27c00eca9acf9590c7d6fd222
SHA256 a4fc1e5a680d5701279a61ada37dc8b19d302c7113e70324caba4156a0f9c2ea
SHA512 d0cfc5dfb6d34ad66db0ffc469ea1276f60fe87a58e307e7e2ce887c37413bb09a5fec4b425f4bfef4b8a3a4e6da70e2434f8424797e38bd40fdc1604a8ae874

memory/668-40-0x000000007370E000-0x000000007370F000-memory.dmp

memory/668-41-0x00000000004A0000-0x00000000005D0000-memory.dmp

memory/960-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/960-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/960-45-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe

MD5 1248fcc89f1bcbaa44ea9c47ec824d7e
SHA1 a6bd2f5b2ca96bebc8158dd435ffff8d02ff6550
SHA256 343da582cbe90421cadbaadbbead3532ec26d82f9b3d297feb8b669d71754c5d
SHA512 a96870d51390ab21b188b5b7ba6d3e030cf78fd6d6c75eb93f2dd7f9d1869715db59b894a4165c31b69bf4f05ffcc18a7443df3266145d09b3f873c6a6b984c3

memory/1136-66-0x0000000000550000-0x0000000000588000-memory.dmp

memory/1380-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1380-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\1000003002\2b6a1acebe.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3592-86-0x00000000002A0000-0x00000000004E3000-memory.dmp

memory/3592-87-0x00000000002A0000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\4ef9d3be-75df-4466-819c-530ae24e5444

MD5 6c56b933ee371ee2cda111c9f8bf8c68
SHA1 c76645bca286af8c7539354ff1f064928c1af1c6
SHA256 1aca6f3bc4d8021ad7d9806a27863316f5f55484156e8b987e70a9e5c1f892a3
SHA512 04330d3308b4246dad57230f2c03195ba9d563b034da23cd2d5929a9adb19db06b188158a8a2f10201e3738363362060be108482187f26a339c153b03506ac4c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\bf6ec2cc-8c72-470b-a78d-b0ff716de060

MD5 2d2df17f89937905a1e555a2a321356e
SHA1 a42bfb905319cd2a9974cb34b0550829e88ad1b8
SHA256 e6056e51255b9e10eb9f4eaae0dc6e4983ffdab57a037bd9becfc88be642d1ba
SHA512 df9601059045876ffd56232769f0eaaac908c2babe128bec1642766e0f005ac753146f2391593f206c1f014cdaec8eefbb1ed687267fea151c365f8acc9545e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\92fb7c83-1c80-4ee0-83ce-792cd2d790a0

MD5 58ab79c5633f33dbe59398216fcd694e
SHA1 7e930ccf8fddc6f6f281cd1247b1d3168162b283
SHA256 b52d668f7a76ff30d4f974691dc77894fc06b4c5b20fbae7b515575c81eaf77c
SHA512 a7a2e97b31277d18ee4af3d0b0f495fc54ffa6e537768978a3bb241ba920a0bad7c9aafb6637a72427b647f7e445ca48365f8ac784b6322475090220b4ec774b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 3222b159385a88ac302be36506fa8f5f
SHA1 f47849edcb7e464dc5263ad31fdcc32932939adb
SHA256 ad20262d1ec2452fd53b39a0ffd7e00f43fd02da4f0cad6c90b6530331583b78
SHA512 bb35b690637587ec6146a92e764effe5909c428fffe09ef0f60718a1f5f9d41b52ab8722a43f5e8599703467c88e20ea75dec8afca23a5fa5079f22ce28fac3d

memory/1752-109-0x00000000006F0000-0x0000000000B97000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin

MD5 8b380944df232d2e6e1d27dc7981f1ca
SHA1 4f445b96ac369eca1232b52f711adb548d831fc6
SHA256 7ca7a7f111c3873f84d127839d3c17d0dafc211cb429b3419d85fdf37780ee10
SHA512 9162b48decea8a2f226fbf92a0eb3c081a7d7f95ddb16aec6aa9e06eb73bd13bf773806050ea03175d39a749d6868caabcec7c81b64d45a020d7717305f2d126

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 793d82b23a32546713a2dcf547f2394d
SHA1 23a0151e6e3151c8b97a368fadd4def37196ae7f
SHA256 bef9f9e5d228009642d30507e2e81c4c50c9059d582c7886fffffddc375e2cf6
SHA512 d940d307df184e75887a8b62b09a48bf932ef2f5f4d97c53cfc713160d164cd4b03624f31cf27a10063d36f87aab3f5f63db38ac1bcbf870655239aa0ff2a282

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin

MD5 feb4204eed1d6a229a4b3c9050a71b27
SHA1 c9e36dba07764befcf1a89cdcb9cdf7b7330073f
SHA256 7666d451c152bd658781e37f82148bc211e20f48306a3d89054c1ff12b1b2ae6
SHA512 2d4dc1f9ee56ae196686068d725cf87d4a6ecdc0410b612ff7d0d86893d98a800efa28d8ed64882e2f0ebd7ee27588c9b508dcda78218c01042ae8de511c1737

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs.js

MD5 cea3ba8291ce6f359b15a313600559da
SHA1 e9f59b6d4c5356feacb238b1feff58bc2a46a683
SHA256 8e55f9b4c5842c5d40598703998c595d2b092e45f8752c989f67fb70f74c521f
SHA512 f44e471481812b47b2934a0868692af6009ea9b57c690a03d0079d5a59ea71ef035973e89e0fc48f26efe16f4b90b4e8722db085dc9b49a0e6c596026bbd83c3

memory/1752-382-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-420-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-421-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-440-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-445-0x00000000006F0000-0x0000000000B97000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 bce42ea8d22a99e830d448c8b01acde6
SHA1 2a6cf75a4bcba713e059bcb23fd9440e0a9cb371
SHA256 1a3c4675d56121008a1a0b874f30ad7187e1baeddee0f2eb806b31bdf2ee9baa
SHA512 7342091e71191f53bfef8960b2fa1505765a9845b5673ab16511f3fa4ea4132f407ffff0581c378cccfee35735d44cd16381f3ae49f6976f508a6d77661255b5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs.js

MD5 f36aa16da72af1919f87af610c714175
SHA1 7695ea000f4dfa360db00dd3c135078f7c084054
SHA256 71b93de8b83e4dde9622ac257dcdfb7a873364f235bf2188d7ee1182181f8b37
SHA512 187e231148854d54eaa1bce3d5d077baf8fbd9fc0793a7ffe6a777622c6bccc70e296d044bb095dc762e4519d8c4f1f7136e6a71d791ede9a633e0f978cf8c99

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

MD5 03ec50456b0d2e1a16a2822013a00d12
SHA1 91e191fdbf29a6c51fc04d56e24424ff8e62c746
SHA256 f715360603efa45777884f15460ba562a86f2dfb1bb04c606ea2c3ea48d2b2cc
SHA512 bcc54b4dd9055ac6f7f080186c24b19165cd6abeeccf669d92c3fee01046e3835867f1360e60857d724267f68b6ae57161c223fb66795704bd6f5ecb89517b46

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 090ac46b226bc53563bb7fc8593484f7
SHA1 6bc4b7a915f51dd999c79036c694d5d54f77f759
SHA256 575d3f8fc1406fbec1a4e0e00b8a725f846a9a0133092c7fdee8fe1e5e1e3c1d
SHA512 0744f1be023881a8bf8ff1ad05cc6061bb0ad3fd1963a2682c25b533adcefc3227760f4445c6a5a67f1efa7ae303fe18def293f6b1b9f4000b34b4991711d713

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 63b2f773c7596a55de1f245b0530b72f
SHA1 241c9ae25ff6e41bc273b2320c0fd0e9ea3f8798
SHA256 7527acf8ab2602e576ca7e70ab391bfc36c60ad49e807ceebba6ea6f2b52280e
SHA512 8f8db765ce9e50d637a6242273d9edf7618d2b2b9374aa6cf8bd36b7869267702afd332583f3a09571e747ca3f3e89c5f9daa94eceb2da44470fb8bc2753bbd8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs-1.js

MD5 7793d64c7b89a107a57b762170429014
SHA1 ea6b2838eafc71d656c0332015985ad31e49bc2b
SHA256 ba1ed3059ba90292ad7e5664ad1a53c30095e477a105940717fda3108ddad308
SHA512 da6d39b3d2b4fdadfdde6c7ad231efb923b91046d680e492ddc7b40d691770ef1058cdb9c7056d5ba591a72f67300502c563340b108740059932b44cbff420c4

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs-1.js

MD5 44c777cbd9bceda3c116ba73f2ef7711
SHA1 cf0f1bb8135680d6017c35389ffc33300751cee5
SHA256 41b13da73c45bf5d99f390721e4adbab8bac1b3d4f4ef574d37a16493d7a355a
SHA512 2486c1bad20c4e822942573f3261c03d17005f2ddf0722ef306897e1829432ba8eb6afd0b9f7e192e8aa1cfddc54ba988caf0a9c74d46ab0923ec776fb66a385

memory/1752-1228-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/5556-1558-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-2610-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-2612-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-2618-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-2620-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-2621-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-2622-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/6116-2624-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/6116-2625-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-2626-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-2627-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-2633-0x00000000006F0000-0x0000000000B97000-memory.dmp

memory/1752-2634-0x00000000006F0000-0x0000000000B97000-memory.dmp