Malware Analysis Report

2025-01-18 11:32

Sample ID 240817-vqgphswhng
Target 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa
SHA256 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa
Tags
amadey stealc c7817d nord credential_access discovery evasion persistence stealer trojan kora
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa

Threat Level: Known bad

The file 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d nord credential_access discovery evasion persistence stealer trojan kora

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 17:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 17:11

Reported

2024-08-17 17:14

Platform

win11-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\11f87f4a09.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\11f87f4a09.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\5124312374.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1980 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1980 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2120 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe
PID 2120 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe
PID 2120 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe
PID 2312 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2312 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2312 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2312 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2312 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2312 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2312 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2312 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2312 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2312 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2336 wrote to memory of 4004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2336 wrote to memory of 4004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4004 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4004 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4004 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4004 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4004 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4004 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4004 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4004 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4004 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4004 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4004 wrote to memory of 3056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3056 wrote to memory of 1208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe

"C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3411eb0-af57-4f97-81b7-58d854df2135} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aab1f32a-4213-432b-a278-b33a5ac06fe2} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2896 -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 3204 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c22e5929-2c2f-4c6b-a86b-69970ff301fe} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 2668 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d9a4594-6310-433e-a051-4d3f89ee764a} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4732 -prefMapHandle 4752 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6f2b16d-7f93-45dc-9f0e-612126e361b7} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5280 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {317b4b13-90cc-4096-ae1f-027537198044} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5308 -childID 4 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e8044cf-3ee1-482b-b00b-751fc3eb82ad} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 5 -isForBrowser -prefsHandle 5628 -prefMapHandle 5400 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d1e6f06-eebe-47d0-80f1-fd8ea1f57a15} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6260 -childID 6 -isForBrowser -prefsHandle 6272 -prefMapHandle 6268 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f931c5fe-3c24-4167-832e-7bf56b7dda81} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab

C:\Users\Admin\AppData\Local\Temp\1000002001\5124312374.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\5124312374.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 accounts.google.com udp
N/A 127.0.0.1:49804 tcp
N/A 127.0.0.1:49812 tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 34.42.82.35.in-addr.arpa udp
FR 216.58.214.174:443 accounts.youtube.com tcp
FR 216.58.214.174:443 accounts.youtube.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com tcp
RU 185.215.113.100:80 185.215.113.100 tcp
FR 172.217.20.196:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
FR 216.58.214.174:443 redirector.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com tcp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
RU 185.215.113.16:80 185.215.113.16 tcp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 52.111.227.11:443 tcp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp

Files

memory/1980-0-0x0000000000110000-0x00000000005E3000-memory.dmp

memory/1980-1-0x0000000076EE6000-0x0000000076EE8000-memory.dmp

memory/1980-2-0x0000000000111000-0x000000000013F000-memory.dmp

memory/1980-3-0x0000000000110000-0x00000000005E3000-memory.dmp

memory/1980-5-0x0000000000110000-0x00000000005E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 8e7fc308ff9bf6e84237762d6c71c4d6
SHA1 d873da020bede1bc7e9218adbbeb5c7442b65d71
SHA256 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa
SHA512 30bea01dfa81312e0eb3edc2942c5076d865ea70d1e8a2ab49bbbf09e8d8c8916ee656c98d09280f8ffd949c33f4b911cb45a426f692f47aedf051c5db8cb46a

memory/2120-17-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/1980-16-0x0000000000110000-0x00000000005E3000-memory.dmp

memory/2120-19-0x0000000000121000-0x000000000014F000-memory.dmp

memory/2120-20-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/2120-21-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/2120-22-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/2120-23-0x0000000000120000-0x00000000005F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe

MD5 96b63367d5d745825ea1db1602bc918c
SHA1 b2ae209517ff1a6559fbc8ae160385292d3b9599
SHA256 fabb92cb47b41a5bd45a87bf84da8f2a82d266d0d97951edf6cf9e6c9a0b133c
SHA512 eda483ee95a9f4ca06857f1ab6925225c0de9fe2e2833560382a72a15e2751576c55823690638abd3e6e937e728bf50c815c326d5d09c36dbcc92dcf7848096c

memory/2312-42-0x00000000728AE000-0x00000000728AF000-memory.dmp

memory/2312-43-0x0000000000150000-0x0000000000280000-memory.dmp

memory/2336-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2336-49-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2336-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2120-50-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/2120-51-0x0000000000120000-0x00000000005F3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\ac0ef252-1a16-4ed8-b331-d8dbaf605a4c

MD5 71b1b665b8cec26c907c01c3a9fc725d
SHA1 c53db9b0ff3d94bbe54c1b73a3b7f36da7b3cb7c
SHA256 8eeed4d2327e4ad8cc85a79ef298b8d98997a4326ac04bb3e3d71041a07b964b
SHA512 183ce7221097d57cc30de44eca4a8aeedd32b91c8bc964d810eb411269208f38fec6b287386d1fa3b4b109fcb82279b2308ca5f46d822eb05024a25b5c77cc17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\8f7c4f69-ed26-4d2d-b03a-935ae91039a4

MD5 eaff1e7d594b40c625cde4369752214f
SHA1 d4159620d486c3152bdbc9f4c77548172aa5b443
SHA256 ca25a79e176ae55d1b02a0e6b0ff483f0eb01819a1675543463e89b5dddb8186
SHA512 0e42e4a8ea3962343fbdc599c8aadcb10cc5e46f330d136f3253ffe5f59115ad4c70d2990adba7c81ff16cebd1740c8cdbdca93d9300cc9ea5083da6fa0da116

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\577b1152-03f1-4d08-9faf-3f3287e14e79

MD5 6a14e77d203b14aeb9ab2b3269c0877e
SHA1 c02393721a7c09664713fdc58608ffabea79cdf2
SHA256 c8a4687c99cdef9853b3b264eead3468f77fcccd6a31f772f4a1ae36ff085504
SHA512 8bd516c533035ff0437f64044378b63ae64f4ca3ef42877f557f7f9d0e7a3a74b285c0371b30a174844a4a8d558754f1a8354082804ab20d18d5a0ab48475378

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 21516984324fecf36df19e0f81f75446
SHA1 f9d17ebccceadb303deb112314438ab37a41f244
SHA256 ee77b960ef5729f70c6fdaa16c269981daee0e23ff9b9e47705b04278597daa7
SHA512 ce8b3009c4c9253d910469ef6ffa1309da82ca143bb59c0f420671f9f01f1a15acb76716be6866ce0c7de3abb6b1deab3803b8f1f8b8ba64cacbedf59dc1898d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

MD5 000ad41eccec41ff63544862e5dbc684
SHA1 1d5a641bd740dfa24ddfe4a770dbb01b318b6867
SHA256 eacf3f5cd4361eeccd38fa0d71e251f421570cb8f0b4e1fc3340436f09c889b7
SHA512 375f8ae6fb3ec39f5d1be7ab7ace272676a7238a3051278daed1d61cebbc2df803f5780c11d085777d94f01c24ddf4f7a7717a362fac565ba51fefe30a7b0023

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 3ff088c3aecf6d47fba94219c2def270
SHA1 0c27d552b5c75666c00a2e3a544caa75b9555776
SHA256 d05973402141f38af5d09c0700565a4623a79bf0da83749312834adea95d3cfc
SHA512 4a805d8e62f8d2aee7610e636744b4647a4d643a45c7f3904e892cf1b5c1fd37ae36743e20b9aaa041a2f3b429c54ae58b4f7a28b3a2d7267e5080047061f37e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 3e9aa4ea036de2414e81b6357ab44c92
SHA1 462caea40bcd35fcd203e4016b8a23df41b01578
SHA256 5ba0805408d0c6ca466bd1d65ef460e809d8e477ea19a3fada9d14dd407ae656
SHA512 1f80b77f52387f8605afdfaa5e379af9dfa950f80319a64cbc3cd1c275a3d74e10e10bbc6a9725d554a4ce3d9ba5f916f5609d808c20bf549c40f10fa0c5d8f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 34f4c77a148db59960a785a413a1e6e6
SHA1 188ff67537147b71c178023f42916caa2f151b0d
SHA256 8123e9856d721353d9c27c2a51fa84137ad8e1516435345f81255667067b5d98
SHA512 c6e550a397ddb9f514d1ecc16df4eb6b02ce0d4bdda8027ecd0949f921e90cea7150c27079bc2c31c4d3a7259c724de310425621818da0ea21eebc626e680973

C:\Users\Admin\AppData\Local\Temp\1000002001\5124312374.exe

MD5 37c0f4cb3470a9be701357b194e4a5a6
SHA1 50799d941cac74ca58b0e6f5d553cc0e31fa7b53
SHA256 bb0e9d7b4a99d16519b0967ff905eaef603412b837b070d34e482f9b5ae5bcfe
SHA512 ac9605f34dce7617814eee423f3e99c164af5b08d8622b8ed88b59cc96abbd1cf0c87c3f30bb12e13fc4d996ff3f0c27d1034821dba2cb93bbab1b52807158fc

memory/4416-405-0x0000000000910000-0x0000000000948000-memory.dmp

memory/4516-409-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4516-407-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2120-418-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/2468-432-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/2120-439-0x0000000000120000-0x00000000005F3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 1cc8dec48d475d1d7e084c0bc5e9cce7
SHA1 2ce72044cec2613c8077148c5d0097996e30b1d9
SHA256 278d99910e6407d57edb4811a6e5cb72d51b7d2b0b18279296f2f4f9f0975a5d
SHA512 ae2b52caf3438f16568d66a55ef99dc52a5a9051503b6f618ce84c42edb3d75e4ce04d843425fd0fc9f876193b99e2d88ccddf96d9595e6b7d1b359fb25e0813

memory/2120-457-0x0000000000120000-0x00000000005F3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 9c617d6496a89d7e0857175387d6fdab
SHA1 fa1496da5a0d4bfbf3212c5c5d563d9a83ce6fe2
SHA256 c1ada3129330120a4e8b1ba5bf8c3b0f23a286bd7b46d7b9bd703d783d3c4cb9
SHA512 23e4138d022cd47dc102fa33e287d9a3d7fa46f53032c55ff4f04199589619d7f93ddd1b0164bd2a6f49522f110b92ff12da3631e7f6d299aa2f77e16bccc60c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 e12b1054526962f31c28eafc924641e8
SHA1 0d159ce128783a0ff1b60bd4d9adc4a65d51bc0f
SHA256 3fcae4da8488bfaf0903b7751f998da83c60e366ce14a3cdb900855b8488c06e
SHA512 e83ec9f443c1caf2b800156661428db316b8e606f8c0b017d8b4cc0599554fab9b9dd8ece883e286a69e50171dd44adf64e10b3465f54b95ddcf91311d948b52

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 24a62bf69a6e4686f06f05a722cdca92
SHA1 e82bc8adb2f1dbd04c5ddaf1bc75c14691a8dbc6
SHA256 a48004cfe53ab8b1350c93f154b8c66214154f40a6a0101218a570b01d761e13
SHA512 8e042c8c6b7e6733436b4b89c3ebface512de19fa365c2b6d30817f19eac216153129ac81bc0bd15d629f13b7564ac0290e1cbc21aac3b5fc28ce12e1cb9932c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 e70fb5b62c8506ade770d0bd4d7c1a16
SHA1 78512cd66d7b779b6901da823e9420df3dd37b36
SHA256 bbd3f961d735ef6c6d7bda5fdbf26d9fbfcdfe49981f4f548fb009829e80ebd5
SHA512 79e51b4f17243b7039ad285c1ca16f2c00a258d3b3dd8e703c76a4aad016504b81d46177a67b4b2f55a53958c61f0dd232c2d9f1c54fbfb7f7c8245fbc754221

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 edd58ad632046de712e19451f1e69d31
SHA1 176578e88796cc7c24b353711847e6c4f5a60272
SHA256 cecc4a069101dd6f27d031f6d78ac1959a1588820cfa46eabe5a142258b1b9a2
SHA512 50afb0def8f26182476d868ae1b22503257b0c76f808c84514ebdd90badecfb65d3a61ab5daa0ec9cedf6020cd320ae36213db483c09ed2847d94e474e36f62a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

MD5 1982bf7b46df0dda799dd36704e5eeba
SHA1 10d64807d1c00c5b915454d0290aa60c0b1e3621
SHA256 bfc9fb5b812f5a93537b070240580946ac3695c599b39776624a46ce3f9c22a9
SHA512 df5c75b4821000c193eae07df6ec4737c52d328395e2e1315aff5878364c86b46febef110aa3afdf26aded861b288a4393eeea7db8c395c757c25c5f6c29484e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 ac4f05a25705b18f1c31ae6f3133c953
SHA1 a574897ffb6dee483a798e49ef7ae34a729c64b0
SHA256 166e5b0fe70ce43e021d40310204ae76297fc26a74186b148550e31c0017b458
SHA512 e2abc116f120733e3f851acc0329e953b44d089ee2b860716df6bf20ce9da7f529d2ed9c0b0656d7b80debbf2aacc6113175aa1673bedef901cf39333ff1051c

memory/2120-815-0x0000000000120000-0x00000000005F3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244

MD5 1998ef2d58f598f631585cdbcaa45aeb
SHA1 9b5c71bfb178ea1269a582edb738c073a1c20762
SHA256 39e5711217bf8cb6b425e1c7a5f8dcd9d666f2c3decc66aaffad87399125f1bf
SHA512 5887c976a647642963667348cca50cf90bb4dc0a17f30673fb79af0fd0926492d4ffcdbdbf24602018131453350a64e1122636e692d5d12d4ad5c30e059d3365

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 17e67394e505186d2efce7c8e75b7087
SHA1 9fbac8ebeff8a0445002748c1436d002aad69226
SHA256 11167e72a619e116393e942fc5abefc2c46af6f7a6d2ecebea73b18ba8eed366
SHA512 4b5f8721fe575e39028b94b769c91cc2d761dfd31821c8b44adb893491c6a82851d1673fa666c217cb52a9e93c685e0e583c53a190bd017d5948040341f7d46f

memory/2120-1130-0x0000000000120000-0x00000000005F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2120-1484-0x0000000000120000-0x00000000005F3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

MD5 36e5ee071a6f2f03c5d3889de80b0f0d
SHA1 cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA256 6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA512 99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

memory/2120-1740-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/5204-2181-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/5204-2221-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/2120-2285-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/2120-2385-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/2120-2832-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/2120-3390-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/2120-3393-0x0000000000120000-0x00000000005F3000-memory.dmp

memory/2120-3399-0x0000000000120000-0x00000000005F3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 17:11

Reported

2024-08-17 17:14

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\03ec66b7df.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\03ec66b7df.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000003002\e285636085.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 5008 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 5008 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1608 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe
PID 1608 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe
PID 1608 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1608 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe
PID 1608 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe
PID 1608 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe
PID 4740 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4740 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1608 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\e285636085.exe
PID 1608 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\e285636085.exe
PID 1608 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\e285636085.exe
PID 2096 wrote to memory of 4796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2096 wrote to memory of 4796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4796 wrote to memory of 1096 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4796 wrote to memory of 1096 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4796 wrote to memory of 1096 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4796 wrote to memory of 1096 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4796 wrote to memory of 1096 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4796 wrote to memory of 1096 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4796 wrote to memory of 1096 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4796 wrote to memory of 1096 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4796 wrote to memory of 1096 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4796 wrote to memory of 1096 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4796 wrote to memory of 1096 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 948 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe

"C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000003002\e285636085.exe

"C:\Users\Admin\1000003002\e285636085.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ea0ffbb-20ea-4aff-984d-0e3fcdc743d1} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a62b201-d700-4d79-af3d-235cc543176a} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3192 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3284 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5dc848e-931b-4088-966b-da57f6d83fbf} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4028 -childID 2 -isForBrowser -prefsHandle 3924 -prefMapHandle 3912 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d64f1877-10ed-49f5-8f42-674fde1ced07} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4780 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f95a6a3-5395-4929-83b5-91b094d5c700} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 3 -isForBrowser -prefsHandle 5204 -prefMapHandle 5176 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2592abc4-dd6f-4112-9d81-934d4178facf} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65fe194f-ddd5-421f-ba78-791911d9a4a8} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5672 -prefMapHandle 5680 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {917da3e2-398c-4e98-a53e-358ba1e7ce1d} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6184 -childID 6 -isForBrowser -prefsHandle 6192 -prefMapHandle 6188 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cc3ce01-5626-4f26-bd8b-ffdcf0522bb0} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:57926 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
NL 108.177.127.84:443 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
N/A 127.0.0.1:57934 tcp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 34.42.82.35.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 23.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/5008-0-0x00000000004B0000-0x0000000000983000-memory.dmp

memory/5008-1-0x0000000077564000-0x0000000077566000-memory.dmp

memory/5008-2-0x00000000004B1000-0x00000000004DF000-memory.dmp

memory/5008-3-0x00000000004B0000-0x0000000000983000-memory.dmp

memory/5008-4-0x00000000004B0000-0x0000000000983000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 8e7fc308ff9bf6e84237762d6c71c4d6
SHA1 d873da020bede1bc7e9218adbbeb5c7442b65d71
SHA256 628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa
SHA512 30bea01dfa81312e0eb3edc2942c5076d865ea70d1e8a2ab49bbbf09e8d8c8916ee656c98d09280f8ffd949c33f4b911cb45a426f692f47aedf051c5db8cb46a

memory/5008-17-0x00000000004B0000-0x0000000000983000-memory.dmp

memory/1608-18-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-19-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-20-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-21-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-22-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-23-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-24-0x00000000002B0000-0x0000000000783000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\03ec66b7df.exe

MD5 96b63367d5d745825ea1db1602bc918c
SHA1 b2ae209517ff1a6559fbc8ae160385292d3b9599
SHA256 fabb92cb47b41a5bd45a87bf84da8f2a82d266d0d97951edf6cf9e6c9a0b133c
SHA512 eda483ee95a9f4ca06857f1ab6925225c0de9fe2e2833560382a72a15e2751576c55823690638abd3e6e937e728bf50c815c326d5d09c36dbcc92dcf7848096c

memory/1588-43-0x000000007317E000-0x000000007317F000-memory.dmp

memory/1588-44-0x0000000000010000-0x0000000000140000-memory.dmp

memory/2096-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2096-48-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2096-50-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\b9ef9a3ba8.exe

MD5 37c0f4cb3470a9be701357b194e4a5a6
SHA1 50799d941cac74ca58b0e6f5d553cc0e31fa7b53
SHA256 bb0e9d7b4a99d16519b0967ff905eaef603412b837b070d34e482f9b5ae5bcfe
SHA512 ac9605f34dce7617814eee423f3e99c164af5b08d8622b8ed88b59cc96abbd1cf0c87c3f30bb12e13fc4d996ff3f0c27d1034821dba2cb93bbab1b52807158fc

memory/4740-69-0x0000000000290000-0x00000000002C8000-memory.dmp

memory/4684-71-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4684-73-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\1000003002\e285636085.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1592-89-0x0000000000A70000-0x0000000000CB3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\bb04288e-2737-40f1-9526-bfdabbd8caf7

MD5 3ebee60acba3e920c579d379e70d63e1
SHA1 285f4e8416ec7ca53de98b547fdaaab89cd08f3e
SHA256 7b320f17d5c1b8e3ee0e2d6a320bf6aa0cc9ea7b86921eb7b5fd403c08164ace
SHA512 2a3a270932a1c5e2c66f4d1e24ac6f7b53d3b97f7ac4fe71db346a7bcc5c94dcd39408fc594e2e46426b3ff8f8fbaa7087d40ff213146ec0a62f1270b365b18f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\1cfd55ba-5ac1-4603-986a-e679f08951e0

MD5 761db0d7cde5c039935e85a8c68f8165
SHA1 e2ba537df98a4c3d048146f3c7e64c70bc5c4307
SHA256 49d38ab0f05baf80a384bf7ceb5ddcd611d066ed8903b8d25f5f0ecf22be0702
SHA512 63d75708e79cb28f879a1c8b883baa98177067565b7cf766151f8fe2ee8224b6515d587ecec6bccbcc93ace2229d043400a0b1674053f6e3d24b597942fd991c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\d02d475a-e624-4451-acb4-b42df1ffcfc9

MD5 12e9d18cbf85c3fbc8203a1cf92f9eaf
SHA1 50c9b61a141cf65c9746eb1f0c8467d2ee8a9f87
SHA256 2c83e4126f0193934d249c55e5c6cb121db349bb0658a35b842f4b6c7c6c4523
SHA512 028d00487b56a84e34d5c7bb70a004965a31f866edea4cc76a2e0d1f54759c74965cd7050fccf6c1acb105300c2dc834e44d78bdbb7ef54f297be272561d9b23

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 97b9ad56c088466009aa51f4756a8ec1
SHA1 b50165430668b6c45305706260712fa5a244b1a5
SHA256 3c658f3f333781f67ed73dee3b6e8fba1d2ddc32c3df8f45d21125023e046579
SHA512 acf0d4215add565bd2ecb26f56309aa2b7fd89b149485b0e9aaf28255bc9a8dd9bb16cba3cfa10cc188af26c0c105455d50151112d0335597ce4df893bff6569

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 9c68c002d55150f07f90b44b890a114a
SHA1 707c2d562881b49c8a0cc6514a90b51a6970379b
SHA256 64354414b784d01af1b57d838d8e632e4f2a6306de51a8c606942fcd5fa21bc8
SHA512 d2ae3c1487a18c6a24aa62d615e36bbb5ada6bd3d9edbcf6b8c20f2b9ca442f35a7984329ee1ed4da37ac433ac243665fbfc09fb358bd9bac6de29b33b9f147c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

MD5 e914f156c7d69bc9536530a782b14697
SHA1 4e17974dd669f748872c935278e2a40f1015cb63
SHA256 e1dfc10f2a25092dc9ae0543518a0c5ed2128aac88ad77c27e5b590544f5c99e
SHA512 dabffbd966296b93c5dcc9b70b11653041838cf0f54f3298055532c9a2fc0acbc5a97e9dc114fffb669ab186d9b56a73eff52a7e421a7688f75115a30f00b710

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

MD5 bda76d37e2d64752e8f42c6c866e5a71
SHA1 eb79134f3beef6669c56f690ef1a3b34da6030d7
SHA256 e6ec0b8da484e2d27f8d334315df6576f229a204f4c9920ec4581ae10832a2f4
SHA512 8090b1713d8eba91a5c4ed6da935aa7028af62a817afba9dc49642d030c9d84cdeda9759ace9a2b36ec7d437066c7953a4d82e72c136c7810260672e224e777a

memory/1608-375-0x00000000002B0000-0x0000000000783000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

MD5 f2d690279a3cc3a1e88f1b8ab26b1116
SHA1 f0a9040631b2de151309a9d7b400498f590fd09f
SHA256 c49606b713f79f07276c8b68e850523aa7ac77e683e45aac65dd4e052987800a
SHA512 f5c44937b7874a09aa7b4ff936c98c0d0238c3c50aabdf2966a790e39f50cecc88148b9230d83f041a68e88a62739772e9921f21d3fa12768b762cdfd8131794

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

MD5 a44293c65c81dded4fb870d93ea7fe86
SHA1 8b067c784e89236d8c5f1440b44d548b8e7a517e
SHA256 700334daca65dec7a6d1baa1c5ea5c3d9cd51905dc0a8a81e822f38aceebdf3e
SHA512 84cc93979e7ae4076b5cbcff5230cb17c0f39334b4c61aad3417ec54b00b627cb565c6c260499215de7fac7f346657d3dfc72416b347c26b607b72ba838340b8

memory/5712-393-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/5712-395-0x00000000002B0000-0x0000000000783000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

MD5 5fe6ada46b1f164efc08d6fd48cc69bd
SHA1 3bdf5fc54e05d0a8bcdcc7ad7432608107662c45
SHA256 9bcbf298b4f5ec151639812d2026d9ec4a06e40838e5a179e87f1a5a0271b681
SHA512 e13fb4c3d5a1e3ef2e2a52551355759c6a1439d41452c147950cff994db3891119157309db8982a58828e1aa4f0bfe998be1290446d9c19c85de3308ce7d98a7

memory/1608-413-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1592-414-0x0000000000A70000-0x0000000000CB3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

MD5 9482e2a56edacf26688b7a8de72f2425
SHA1 4c2ab59e97d0a313483c91f1a421f518d7b1f143
SHA256 e93fbda60f7f8be09a8247a2e14d69553e121ff014f79f2508eed6f0c66207a2
SHA512 7a79b5f8ebbc266ee683120530aada0e4c0cbdb33f7c873438425168a29991e1b923ae9876b8bffe134f90bd6df27a8d9ea986442ee702a8a86fa583ee802576

memory/1608-466-0x00000000002B0000-0x0000000000783000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 b46d804b709786da554915009bd01487
SHA1 019a2790d9b9c009115fd8d3fc0e4c23905d9fb0
SHA256 2ba02c2fa6135922691b172e367d31b5e1b6f0178cd7d3e0a355ae1db262d4a8
SHA512 d79c7edfca00b718299cc2990d21f0240b375cc11db7a013f46cc62aa0991b7e1c5589629e3e2a52a922c3bbb63e9fece1bfd5e7c1dc383fa89c6554f0f43f97

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

MD5 96aae543fa16b7c0398be4e437b5d221
SHA1 464979a6317805002ee28d1dc6a49158715fe777
SHA256 accc8341c0565c0571753f2bf589098211bb2ac9f8047672a2f5616fa391493c
SHA512 dd5011f108e5acf3d659283b6bd30f0a8e839fcc4794c29f08149a9ccd190a48264af27e3aa8bafb0561330710abbf0cf0d10b3f15c2fa05a98e4a2e4dafa669

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 77f507f3f9d21b2543ccddfeb02eb882
SHA1 2d55181157e6b017055e5578eaaa0d5d66a950bb
SHA256 60c33a38a5111f4c958b291673d5ef1af720a45db32e531a089dea9146e63ea1
SHA512 e730b114324d66c1d6e56fc7ab914d66b8a27f7b49ed010ea2506b168314945d52a2c15842ca537668a4429a783cff24c70ee9b07a2711225385c7d214cbf019

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

MD5 034af0d08f2246b4eb9f42d40c100884
SHA1 f6ef54892a1f46cd341f019b528d8da9232516f8
SHA256 84caff9c425dce0c0452889a54591b71e7bd69a3026330205dbb7d8d2231f67e
SHA512 0a604e94fec8d6e409255871810e9d975e204ecb1825985e1f9b1103885e2f72360062fea20fbc2d95a613fd9c06885f7390276cac0766af3add1ca807d00b0b

memory/1608-577-0x00000000002B0000-0x0000000000783000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 d9d5bc273b1227a7541aecacef3885f3
SHA1 b4731b52f864dce72b7748de88efce5a8b3b53f3
SHA256 ed50ba46da69904459d7e3e3affe112c78fd56b0e67d059b254026447133ee7c
SHA512 e8d60aa18c39a8057ba114954cbfd0e3943a15a30750d95700aeb9fdc0b56786f1ba36a5213f3c7c628d1825a7af44461fe011f7a866de3491f5468b1b5fec17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 ff1c607716b318584ca3d06db21ed31c
SHA1 ae00a11b69502d7ad400640e8473bf1a62538f1e
SHA256 ca2adf3fd1d5b5e55c3108adba97ddc22e7b670c795c69552ff891814fa7b97f
SHA512 0d3c6d6204d73cd48740587ff98c31cf3631f57a195b21db118d2de47124710d6a234d76772ee5ebd9958500e3d6bd6ee326820d0bc1b714760203489fdfd9f9

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 e0176d151bc03e297359f1850f82785b
SHA1 80b2973fc4c0a58b1ff6ac7dd1010e51242f6467
SHA256 fb85c88a463fe7ff9114d63f3dc480fdcd63d5419cfc9805071557f06cdc6d0e
SHA512 571758f51a83f69a14d839dafa7cd912b42e26d0ac1f8d8581ea01b3d18f4479c0bc6c26f213f7d403c5747f9ad4cbc034dd66273a64b04254ebf006d4726f1d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

MD5 91f90d1e985a2b9498c2018f29242d79
SHA1 d48156cf4fd77dbf93224bc077f28768c418910b
SHA256 3265b72b97665bae3a1bccc59e763851c9b6fc20056e9a4acbec8c519ba45c7a
SHA512 767cda706fb2703caadeb719ad1a7a05eb2bb34b395f428c6cd14388165ef89253cc23321898d605b6e056171e3d6ea4934852d62368b09e5cc180086d456181

memory/1608-823-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-1064-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-1232-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/5512-1346-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-1427-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-1556-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-1969-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-2630-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-3209-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/1608-3217-0x00000000002B0000-0x0000000000783000-memory.dmp

memory/5356-3220-0x00000000002B0000-0x0000000000783000-memory.dmp