Malware Analysis Report

2025-01-18 11:32

Sample ID 240817-vc55ysyfpl
Target 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2
SHA256 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2
Tags
amadey stealc c7817d kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2

Threat Level: Known bad

The file 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d kora nord credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 16:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 16:51

Reported

2024-08-17 16:54

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ac5b144c02.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\ac5b144c02.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000003002\33dd1d58ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1360 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1360 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4420 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe
PID 4420 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe
PID 4420 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe
PID 2912 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2912 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2912 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2912 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2912 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2912 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2912 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2912 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2912 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2912 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4420 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe
PID 4420 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe
PID 4420 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe
PID 2156 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2156 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2156 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2156 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2156 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2156 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2156 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2156 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2156 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2156 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2156 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2156 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4420 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\33dd1d58ed.exe
PID 4420 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\33dd1d58ed.exe
PID 4420 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\33dd1d58ed.exe
PID 904 wrote to memory of 4364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 904 wrote to memory of 4364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4364 wrote to memory of 2340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4364 wrote to memory of 2340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4364 wrote to memory of 2340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4364 wrote to memory of 2340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4364 wrote to memory of 2340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4364 wrote to memory of 2340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4364 wrote to memory of 2340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4364 wrote to memory of 2340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4364 wrote to memory of 2340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4364 wrote to memory of 2340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4364 wrote to memory of 2340 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2340 wrote to memory of 1088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe

"C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000003002\33dd1d58ed.exe

"C:\Users\Admin\1000003002\33dd1d58ed.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72374624-0b7f-4c11-91bc-6c88464e81b7} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab14020d-f306-42bd-9805-3566b87a0004} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2876 -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 2940 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a2818df-8c9e-438a-832a-7dbf1993b768} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3564 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 2656 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7fd2a08-3f31-492e-99b9-37fc7502d2c1} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4140 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4476 -prefMapHandle 4472 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a31cc470-d32f-4ddc-a201-827b2a2f2819} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 3 -isForBrowser -prefsHandle 5628 -prefMapHandle 5624 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2baa7c28-14cb-4210-a7d3-f940c1015aae} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5988 -childID 4 -isForBrowser -prefsHandle 6012 -prefMapHandle 6004 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6632ea45-0c8e-479e-9050-6ab6d710ef98} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6028 -childID 5 -isForBrowser -prefsHandle 6024 -prefMapHandle 6020 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8671841-5bea-4295-a70c-7f31213189a4} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6164 -childID 6 -isForBrowser -prefsHandle 6440 -prefMapHandle 6436 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55bc7669-47e7-43c8-95b9-a623fdc61c55} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:57494 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 139.54.240.44.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
N/A 127.0.0.1:57502 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.187.194.173.in-addr.arpa udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/1360-0-0x0000000000810000-0x0000000000CE0000-memory.dmp

memory/1360-1-0x0000000077684000-0x0000000077686000-memory.dmp

memory/1360-2-0x0000000000811000-0x000000000083F000-memory.dmp

memory/1360-3-0x0000000000810000-0x0000000000CE0000-memory.dmp

memory/1360-4-0x0000000000810000-0x0000000000CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 e3fd0516e07f3c086155870f11b17f41
SHA1 1adb49efdfa5e12dd0849e45b7ebbec4dc0e8f8b
SHA256 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2
SHA512 7f70c92d8ce86a830631c5829cc74f7a91a8e9cada59e193f766bbff9486bf163053f164eb57dcc3bfa57b2441d263d073f2f57767acf0f5500cb08fcb15df74

memory/4420-17-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/1360-18-0x0000000000810000-0x0000000000CE0000-memory.dmp

memory/4420-20-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-19-0x0000000000321000-0x000000000034F000-memory.dmp

memory/4420-21-0x0000000000320000-0x00000000007F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\ac5b144c02.exe

MD5 65c92fd9df13e8e9a60bfc3a4f9c2988
SHA1 d6346ae9dec7841b4d331e002abb78a0d509c45f
SHA256 b61c01b84a7e177e932728e2939d5a868703def4338d736d110bc7101d591219
SHA512 e4e99e292fe4a90a159577b0c8132dec9e20a6fcb8b7c122ca2242fe072b9a1b6c8b7c72e4e8557b0deb3a396e4d3d91a4faaa01763f43dd01bb6214be538d63

memory/2912-40-0x000000007329E000-0x000000007329F000-memory.dmp

memory/2912-41-0x0000000000920000-0x0000000000A50000-memory.dmp

memory/904-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/904-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/904-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\614def4a3d.exe

MD5 b99cb4285c29917fe0f1dab529d7a8e5
SHA1 5bf0b88e319a383bbd8b4abe2b81403a0902303c
SHA256 b553e2bb5b2d20a0a78ee2a8012416285ebf65cb787f8d436274673dc8520aa1
SHA512 5f08473e5e08b4d384071b8904780f5ef1e8cb5d0c8266825487510379cf46f837955c4b2757727b68c0340351089206174b920c564d218c34e079219cfc7335

memory/2156-66-0x0000000000F50000-0x0000000000F88000-memory.dmp

memory/1940-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1940-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\1000003002\33dd1d58ed.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3132-85-0x00000000008D0000-0x0000000000B13000-memory.dmp

memory/3132-87-0x00000000008D0000-0x0000000000B13000-memory.dmp

memory/4420-97-0x0000000000320000-0x00000000007F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\f54100e1-d724-46c4-92b5-f5bf89a47f4b

MD5 b4e901a357724f13dd1739e2f978f10b
SHA1 bd3fc6fdf4a4784d9cb41e2c5fc86b54e9d45c5e
SHA256 ae5087aca9e8fd97edfa7720814667ab9d07e15333cdb9cd35f0120ff5be8442
SHA512 1dada6f7ce213de259c5bde9dfc0ac9da3307fc0fe34a1856ecb2eb4f4617cd7e34882b8e5b08f309e1cc5ac9948b58ec94bd2f8c93df2bb37c6e92ba4a1ed89

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\d7dbd31a-e15f-4192-a801-18109dec80bc

MD5 9b168dfb4f48b00e5c64df3a7314b257
SHA1 c02e34e14d66e6b4523c03d915f4060d7bc34441
SHA256 221dc8352ad70c5fbc938c947b7a6a73e12fb5a7cfd87824195ec601783b55b4
SHA512 b14dd8650579627703d8e50d328e6eb00347fb5e7ddba389272b286f10ce05b5866576dacf6ebf5dc04e4215ce1db790901679b423ad9fce4a30a2104bc2dc00

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\8fcb602b-258e-44d9-ac73-b2459880d874

MD5 370961ddce3b89400d67690918593d1c
SHA1 bc57f7cf8c0f694520558038810e03f40ffb8b6c
SHA256 b847e509d9677d2171bfd4530fc2de61bd415d2e4b925668c89ad18fc4dee6e3
SHA512 3158eb743376cbe75e5336293e2b29d166ae5f93554fe01aeb1fbd619ad059306845322fec454643b3239cefc441ce7e5318ac3743bdfb0975af92d01fd2b8bc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

MD5 86fbdd2f6202aa105f03fba41475ca86
SHA1 96ba9fa3a82ccc02d3798838fb5484ad4d8d1756
SHA256 a43f89d1e12e489eb6c36d1e16144fff654e67071eb84f27eabab0ce42a742cb
SHA512 47ac2396a81ad65fc875ce053523f3556ec5e322c0ec0d23f3ccaab4e04db672a19303c707357a25e7b36a336e05b8720aa4adbd7b2b450f50e1dc7f892e52a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

MD5 308224a5b644c264e2f78e134f59df07
SHA1 32ec978c7cb4e96bbf0957c456aee29132a747f6
SHA256 e416484c0957d435b7683b4b9b2bfa71fc23d73f10e900c157d9e7c2f33ebe6f
SHA512 0cad785179a3f78b11931158e486695db59a86d4ee84c2b493d41f603ef330f6534edc8c33179b1ad6595d141895b6bb2632ad70593fe536c0f5ec3d409ea95b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

MD5 d14331f9ce0a3a9838bf359074c09216
SHA1 71d32cc800dd49d51b8ef9f01f54bcf7917538b0
SHA256 445305e9190c3357bf53d2a788e9f091dd68a4db93a655aea8506f84315c63c5
SHA512 6e78c9482cb6048f0bfac38a5a6e6dd163799ad863f602bed9d6dab27e3ec2841ffd10d1c40facb7845d0387626620e31eab1fd9da898761b00d8c9c48352771

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\activity-stream.discovery_stream.json

MD5 2c07b98ed1b5d37c8a801872ceb343af
SHA1 d512b598a7566daa14e42d122288068554a88109
SHA256 a725483745f808435096cb4aa2e30295498c847ebca77a6ae4db8163cadad637
SHA512 1c92c29540b23249766489b29b598c2dec8e84390e2da43b1ed5ed2be104f1c753792461d51baf8b681a995c362b7ea04783e71c84197e306c8375e723acd714

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

MD5 caee7c40c1523a1652b8ab66f89028a1
SHA1 8db3afb7892b67fe7c826e89005360d4824b858e
SHA256 3d5c3b6ed838618c433d1157efb65fd387e7117a188aa3936eb3667f13586b4f
SHA512 a4dd70c5e6087adc6c9449c98577b56337972cc5b758bb5169ed7a96fed09c93c9ed97770980692b54ba6f8c784201f9027c3b9739f568ca7f6e9d0f64e72eef

memory/4420-403-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-423-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-422-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/5556-425-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-444-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-451-0x0000000000320000-0x00000000007F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

MD5 88a3618753dfa18f66bade20ef11eb83
SHA1 ec4923875bd906921222644e5b9251fc39dc5250
SHA256 8b397fbe2da9422a65d78a540c6ea038cb4c345c0cd5aafd09ea2f45c61fe2b7
SHA512 2f08a2f42ee240d0045e52692367fe9468cc3c9fedfa8912264c556a1749ba33a66235f0a6c4ac375cc6b540bea8f980f709392887841768de7599530a2c7c24

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

MD5 0a689593aaecb5f1f755d1c4a8c1dc86
SHA1 6beb792a53ff811b6c6ef93c723b16ea9f9f2c95
SHA256 c2add7bedd0a1ef09cffa1bc136da0d3959709fc0a3f4506068f466e398037d8
SHA512 f0c842823a40552f34a81e42ae1a34bee1b58b423321139929f6e26df9db0194e81ee43075e37800f8ad68f204c92d20b1b3dadbf95b0466edd18bdb5f7cceb2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 ca961141dba0c4f8dbdb637f0022ff0c
SHA1 3d16483534b6fff2d024f6dc363f664a0ad3a6a3
SHA256 6f4b27bda9d53d59896d1c7e3c623b385b6382790f7e3e7891973c37cc8bf041
SHA512 e26d537005e1d3967c5ad383ab5f08194fc9ea56f1e540411430d437033f151876243b590bc5930554a5068b1c0c6dfe1e2e1a66fb2cc776286bb7dc21c5adad

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

MD5 886b96138f706085efc8df3a97d1d3a7
SHA1 1a92a859f94b9e8ec8cfc81226efc1cfbe214377
SHA256 22a53336c501cda77b172197507420eddbad5db6484a59142b49f557f7984d89
SHA512 84d8a23b77cf1f621e62dac6949fec50251541d0e02177d5e43f3f07c0c5a27e1f1e769748a4314286aec4590ae90fab6e9ef538d961e0640497135edd3eef29

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 f76ad0d62f6b959d16463b5bbb7f1574
SHA1 80177d2889eb76a11d0ed7cb4c304098f781f00f
SHA256 0f4cee50edbe68fcc40402f8f0c2c3d961c8076c6a9544959cc5796613e8d3c8
SHA512 23ae9aafe2b7461e318d4f15909b2c72b4a3c44c01d8ae0e3c1df5abae08990e0f37af3543ecdc9fb316cbf12076f7fe6049ac9b884ddc48edd6247d5a107366

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

MD5 7b88d3b6e70c3d4bfa095d21a92c33c5
SHA1 17032a9588cca2d3e3b73b334535a6dfae15bfcb
SHA256 0d20c0b6ef081449ed889c0ced50dfe7973d7fbfa004c7dececf159705652e18
SHA512 c9c7f9b8a1d17289f2dc23d986cc02600258687822023fc4f2a6a2facdc00173b9e66dc7c2e4e79fadc28688f015fb1f4905c0ca8ef7e5847d72b77c33f427ca

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

MD5 e3ee47937dccdd17e626ca244699ed49
SHA1 61ff8fdedbc64801ede3a448e6a78075d4c935f9
SHA256 838d80f7bb05ed844a5ad6adbe693832896fd02f79f79aec3f525494072be3c9
SHA512 c40c760ef6f20481b7024e8db13fe9bbc1a5f798dc7077e5ba2c8cd59130f132d154bff62a275e453d9c30b0c745bc37ffaa594e18e1655d2dc67de806ddde33

memory/4420-1229-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-2455-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-2638-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-2644-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4964-2646-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-2648-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-2649-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-2650-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-2651-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-2652-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-2658-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/3380-2660-0x0000000000320000-0x00000000007F0000-memory.dmp

memory/4420-2661-0x0000000000320000-0x00000000007F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 16:51

Reported

2024-08-17 16:54

Platform

win11-20240802-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\8a371439cd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\8a371439cd.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000003002\1b123b9113.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3316 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3316 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3316 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1804 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe
PID 1804 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe
PID 1804 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe
PID 3400 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3400 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3400 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3400 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3400 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3400 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3400 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3400 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3400 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3400 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe
PID 1804 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe
PID 1804 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe
PID 460 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 460 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\1b123b9113.exe
PID 1804 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\1b123b9113.exe
PID 1804 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\1b123b9113.exe
PID 4488 wrote to memory of 3184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4488 wrote to memory of 3184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3184 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3184 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3184 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3184 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3184 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3184 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3184 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3184 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3184 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3184 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3184 wrote to memory of 4528 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4528 wrote to memory of 980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe

"C:\Users\Admin\AppData\Local\Temp\1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000003002\1b123b9113.exe

"C:\Users\Admin\1000003002\1b123b9113.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31e76937-ba93-4d85-91b0-447351871fd0} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a08277aa-0161-4a80-b38e-64a4616b280c} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 1676 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3042df6-4a90-43cf-9cb4-383e6113ade3} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4012 -childID 2 -isForBrowser -prefsHandle 3896 -prefMapHandle 3208 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59468d31-c72c-4527-8f96-be9590254ffe} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4704 -prefMapHandle 4448 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7038112d-18a8-4201-a1c3-65df6a9e258c} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 3 -isForBrowser -prefsHandle 5564 -prefMapHandle 5556 -prefsLen 27101 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fb25da3-b1c4-460d-876a-3a1745bf4325} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5856 -prefMapHandle 5844 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {102b206f-b657-4958-8f70-69f0d4a36f60} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5980 -childID 5 -isForBrowser -prefsHandle 5988 -prefMapHandle 5992 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {698b4745-13c7-43d7-954b-7881cfb7487b} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6216 -childID 6 -isForBrowser -prefsHandle 6224 -prefMapHandle 6228 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f3eca28-5eb1-433b-853f-4207880fc42a} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 39.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
N/A 127.0.0.1:49883 tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
N/A 127.0.0.1:49891 tcp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
NL 108.177.127.84:443 accounts.google.com udp

Files

memory/3316-0-0x0000000000950000-0x0000000000E20000-memory.dmp

memory/3316-1-0x0000000076F06000-0x0000000076F08000-memory.dmp

memory/3316-2-0x0000000000951000-0x000000000097F000-memory.dmp

memory/3316-3-0x0000000000950000-0x0000000000E20000-memory.dmp

memory/3316-5-0x0000000000950000-0x0000000000E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 e3fd0516e07f3c086155870f11b17f41
SHA1 1adb49efdfa5e12dd0849e45b7ebbec4dc0e8f8b
SHA256 1e4c0cb62627f65a45b5f82f6ccd60c165c0cfab8460ab0106c7bbbc1f44ace2
SHA512 7f70c92d8ce86a830631c5829cc74f7a91a8e9cada59e193f766bbff9486bf163053f164eb57dcc3bfa57b2441d263d073f2f57767acf0f5500cb08fcb15df74

memory/1804-18-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/3316-17-0x0000000000950000-0x0000000000E20000-memory.dmp

memory/1804-19-0x0000000000F91000-0x0000000000FBF000-memory.dmp

memory/1804-20-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-21-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-22-0x0000000000F90000-0x0000000001460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\8a371439cd.exe

MD5 65c92fd9df13e8e9a60bfc3a4f9c2988
SHA1 d6346ae9dec7841b4d331e002abb78a0d509c45f
SHA256 b61c01b84a7e177e932728e2939d5a868703def4338d736d110bc7101d591219
SHA512 e4e99e292fe4a90a159577b0c8132dec9e20a6fcb8b7c122ca2242fe072b9a1b6c8b7c72e4e8557b0deb3a396e4d3d91a4faaa01763f43dd01bb6214be538d63

memory/3400-41-0x00000000728CE000-0x00000000728CF000-memory.dmp

memory/3400-42-0x0000000000A00000-0x0000000000B30000-memory.dmp

memory/4488-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4488-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4488-48-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\4ae3fa6821.exe

MD5 b99cb4285c29917fe0f1dab529d7a8e5
SHA1 5bf0b88e319a383bbd8b4abe2b81403a0902303c
SHA256 b553e2bb5b2d20a0a78ee2a8012416285ebf65cb787f8d436274673dc8520aa1
SHA512 5f08473e5e08b4d384071b8904780f5ef1e8cb5d0c8266825487510379cf46f837955c4b2757727b68c0340351089206174b920c564d218c34e079219cfc7335

memory/460-67-0x0000000000DA0000-0x0000000000DD8000-memory.dmp

memory/4964-71-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4964-69-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\1000003002\1b123b9113.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3472-86-0x0000000000810000-0x0000000000A53000-memory.dmp

memory/3472-88-0x0000000000810000-0x0000000000A53000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 3e282607d6309ceac351a70aa8da3140
SHA1 ba0050142faae3905775197e34b907b5aa952264
SHA256 50205235ba8577950f2d0236e318e5bd3d9a440aadcd8c868395079d540cdc51
SHA512 063c26e6333ffb3d16c9f422bbe2552995a5acc7932f9d15bbe7456087d34cc4d056ec3c04fd100b9072ab18935e0dfecb4972c2a8bbc2bb46d2aa8bb055679e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\81a717a6-a6eb-4b76-bd5f-58422e4d403b

MD5 4126e8d3647602693c8559e0eac7388d
SHA1 dd6acfe3c938bf9ebf5ee46f00834701d37e9a3f
SHA256 68af1fbc45ecb3f367edde090b54e2f2c3b1f054ce75e8b30a73de562e537134
SHA512 2fe99189f73ef0128132ae529c927713a0cf22afd9641f8bead5085f4af5b2e61c3dc24da4ace3f6122aa144ca607d8f12938c651933b20845f0e256ceeccabd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\f152997f-4a5f-45b5-80bf-bd854a494ecd

MD5 49da46ed43cb0f81e82c57a178c009a5
SHA1 29c5b35df6a499aad8e948eb2941ca68a5818f1e
SHA256 b5c4795764885aba33afc14200845454a5e08b1ada4a391f98b7d912505e3293
SHA512 d70ed80fca4cd2e52e383c12363ac151460942bd265c3aaf4bafb8bfbe4e7c9204ee8f543bc12dc749b1a39854bd7b3e8e804c5ae5052f27c59148e7172f9f88

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\9084371b-b1f5-406a-a815-01045636a284

MD5 5ffadfc71401f3360a3059129dfb3e12
SHA1 9591036e1b8c2cbfe2706266e6443f3800925424
SHA256 28f362cbac7abf6319cfe438b19ec149bd89cbe8fde0abfe7ed15f1a678f87f0
SHA512 ec0d1fe1fa5f8207d54bcb1f0993ac7e519937b290415d4bca46bfb4125ffe10e7b7e8674bf092cf2a3fa7cefa381a7643845d75d29e8150ae1a3f00735eaf80

memory/1804-334-0x0000000000F90000-0x0000000001460000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json

MD5 ca36c69f109838ce8c7659e7cd62bfb6
SHA1 3aa7d024ef43d5e5a66d0560f2838a3e0fa6c267
SHA256 4fee9be89d50918a1913bf59b925cfb54710b81f8c4aab8ae2ea79fdd459d1cb
SHA512 a003fd0ba6326755ffc50444cf9815d81327ded0f301d9aecd724e18271f211d51bc01aadaaab2f1580ad3684d31364bd1a3789ac398265d8062912a52564bc0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 2a920846ee34f6e4eb869c7583678bef
SHA1 8e443b585f2b5dc8655a0a19b0318a5b5a1f8448
SHA256 7b1d522512b6b3c6c062e39366a03af7b61868cc70967efe181a95ccd580f23e
SHA512 9dfb8b0d92ac54084dae72a69a627f0964e21db8646ddb347faffc89c48813e038e5844b293083ed09fefe089279d1cc2f4a8f0cee00932aa879554338506ec1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 b70fa4134f94f85a0f5e0cd3da54316a
SHA1 5aa97f88eb1b173989549d56bd0697755cbe6fdd
SHA256 88009bfb872b66a362732a017c1a9791d9c9818d15ca05c80903d4e61a715afb
SHA512 4e64f20ad87008ef8775ddd77e3fafaf5243877e1b1c400f8e1cd1b80ba85fa14319510e6c796ecf9c39403859dd2cd8159e56cf346aa0839a17c8984bd3a8d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 646ba7497b71040d1b9539bf0decd937
SHA1 d8e3669e2f8c4db98c14ea0e629984805b668b61
SHA256 ea301f0b83e28cebcb16d272ab22b0656f821c9ff1f33882233192d562e336ff
SHA512 86eb16cdb90f36f0bfc7a7c95a11f73e9ec7b8c79cd3b092d1bc6b9478dd93c8274abae265f41c5bd9a7dfd491927ca25ef7ef73e14d6921143a2c9d08c11dc7

memory/1804-402-0x0000000000F90000-0x0000000001460000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 8d0cf001ccf2044d9018d01bb1ad6a60
SHA1 78c4d2bfe0de8d39077dc95710b86df8783d5875
SHA256 0a6bd7dbd2021691179d093ebab6b8a0df76bb0224f4492dd9590085b2b8fbfb
SHA512 c2e7e3972a2b01abb4489fa2cb0df7ece8814643a6bde941bee64345ba794765dc37d54f5888395f381273a81886c0adefd18a7df97cc4cb68faf13452b4bf23

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 13e9ee2738ef4033ac95d605e6e89d6e
SHA1 615a168c49677d3d6bdcb22822ff50fdc5e7974c
SHA256 8f69f8ae0d308de20d23947b524739c99f5e3f60e85fe8c4a4688f4a1f64b299
SHA512 a9dfb8f6af68b0aba273826c3277419dcd8ddf2e845e67a1d8df1aeb3e9431a86187492ed72bdc912aa3c3ef78aaa18edf414c2b94cef26f35bb308faa181985

memory/1804-434-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-435-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/5148-447-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/5148-449-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-462-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-467-0x0000000000F90000-0x0000000001460000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 5823a06663989db0a2bc1928526895e7
SHA1 8a32eaf9f2f2894da526396d1a687880a60be4f5
SHA256 83984c77e53f1800c99e7ea84e306214ddb8a7bf870eafec84c5cf7e0eaf137a
SHA512 fac2da12f9079e4cd97b54755b32565f06ca3af0c16fa39386d3e5b6bd697b9341cc7436db96b926c7b35f113d1140fab5ef9db28254d623b15f0b6ad73efdb2

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 8732ec0f1a538fe51bc3db5889d806db
SHA1 697ea40ce58e7ecacc86e56ea19a06627d254757
SHA256 2d59a884fc67e8504ca2500f65e969505133b8a3fbedab55effd8398264be14b
SHA512 65e038ea766654dcf774af30a612f38bc49ad30dd9e57f9ea52995382a8efc664131a92177feef2faaca2c0f0c1c5f7f31d909f3993235124d04856a49cd61c6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 a1cf3aba2de5b0d5260f56acac57625c
SHA1 44ee7877f5d6e11ee1eb13e4154a95dc98af22ef
SHA256 3c8bd64d0c543fa64ad32b593c3a90648a02ce2c6cfbfc596663d77d423fd440
SHA512 848cbb1398db5c1a8956060175f607f52be932e71df61929c276f8751a6e3e938c1a9573820ae8a748144a20c6c63cdb0c082176e1e3dc2b294ba7e12da4ec0d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 23156ff13153779faebb5f84f1067830
SHA1 57edb61e590dfe541042e8c4c8642fe800e69203
SHA256 c67f23b7ddd4ebe59018c504b87e369cb596dda830369a7e559611d4d57922bd
SHA512 93305cfb42da296faf2deb9d5f65b977a88c6683c6fa5f4a689efcb438532652968f732b11acdf8aa5b01ef2a78a562b28e2d0e7dc98ba387f50924c2ddb2c95

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 894241137c132ad97612d60159878848
SHA1 b3cb368d97b5b26329802258e55f94904ba055e4
SHA256 21c6c30dfd1f2c6348827cbc8b4691360131cc9df90ac8bde46aff7d4ec8f3b7
SHA512 3b1c92aadd7bfb31b9cf1adad043ec806f2b642bd9bd0d8e836a25965e3b8ba2462b875d7adec4110b91a973f996759db58fe0f9a8ae44d8d65e2bb7373668b7

memory/1804-1564-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-2673-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-2675-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-2681-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/4760-2684-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-2685-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-2686-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-2687-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-2688-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-2689-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-2695-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/4180-2697-0x0000000000F90000-0x0000000001460000-memory.dmp

memory/1804-2698-0x0000000000F90000-0x0000000001460000-memory.dmp