Malware Analysis Report

2025-01-18 11:39

Sample ID 240817-yvmccaxaml
Target 1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09
SHA256 1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09
Tags
amadey stealc c7817d kora nord credential_access discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09

Threat Level: Known bad

The file 1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d kora nord credential_access discovery evasion persistence spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Checks computer location settings

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Reads data files stored by FTP clients

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Checks processor information in registry

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 20:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 20:06

Reported

2024-08-17 20:09

Platform

win11-20240802-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Microsoft\Windows\CurrentVersion\Run\7e274b77aa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\7e274b77aa.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000003002\6bb3871c05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2712 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2712 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 908 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe
PID 908 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe
PID 908 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe
PID 1488 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1488 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1488 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 908 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe
PID 908 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe
PID 908 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe
PID 4940 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4940 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4940 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 908 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\6bb3871c05.exe
PID 908 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\6bb3871c05.exe
PID 908 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\6bb3871c05.exe
PID 3860 wrote to memory of 4628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3860 wrote to memory of 4628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4088 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe

"C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000003002\6bb3871c05.exe

"C:\Users\Admin\1000003002\6bb3871c05.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7510a7e2-05b5-4f38-8ad3-a5ea180fe260} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af497560-d32d-431d-87e5-0fdea5bc55e7} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3432 -childID 1 -isForBrowser -prefsHandle 3424 -prefMapHandle 3420 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1380 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dad8aa9-1228-402c-968d-ec390cd0ff6a} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3836 -childID 2 -isForBrowser -prefsHandle 3220 -prefMapHandle 972 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1380 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a6a46ef-0617-41aa-89fe-70953e9c894b} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4732 -prefMapHandle 4728 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {caf84830-dfa6-4321-bd07-a557d81925df} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 3 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1380 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da26102b-d00d-4bee-bd9e-b4478f9fe9da} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5776 -childID 4 -isForBrowser -prefsHandle 5784 -prefMapHandle 5728 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1380 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d37decae-3994-48a4-abf5-1f43d0e5c8a9} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5932 -childID 5 -isForBrowser -prefsHandle 5852 -prefMapHandle 5856 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1380 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6057f8f-f45a-433b-aa07-b77f6904c57f} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5896 -childID 6 -isForBrowser -prefsHandle 6252 -prefMapHandle 6256 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1380 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d22a82e-5419-4b4c-9c82-d9c699d38b73} 4088 "\\.\pipe\gecko-crash-server-pipe.4088" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
N/A 127.0.0.1:49848 tcp
FR 216.58.214.174:443 www3.l.google.com tcp
FR 216.58.214.174:443 www3.l.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
N/A 127.0.0.1:49855 tcp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
FR 216.58.214.174:443 www3.l.google.com tcp
FR 216.58.214.174:443 www3.l.google.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2712-0-0x0000000000760000-0x0000000000C27000-memory.dmp

memory/2712-1-0x0000000077296000-0x0000000077298000-memory.dmp

memory/2712-2-0x0000000000761000-0x000000000078F000-memory.dmp

memory/2712-3-0x0000000000760000-0x0000000000C27000-memory.dmp

memory/2712-5-0x0000000000760000-0x0000000000C27000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 a551c4cc7296af05a51ce367e84bca6a
SHA1 b660f9ece06d72523ab860dc11d21cc516a89f88
SHA256 1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09
SHA512 14a8880ca3205f8d62afc8876c7015415c35ebfe530a4a1cab0f474565d3cc6fb3b54ae3cfe8faaffe96a7d8ad6a0c73b68b890fbfb950fff08ea278bc5aa03b

memory/908-18-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/2712-17-0x0000000000760000-0x0000000000C27000-memory.dmp

memory/908-19-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/908-20-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/908-21-0x00000000005B0000-0x0000000000A77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\7e274b77aa.exe

MD5 839be7c9a15556648c2c0fcaa9bfc281
SHA1 90a16d02ba8d7e8d3446937d385b4bc891ed6367
SHA256 94a674f673bd386a4f192d505b7317687e15185b176c0f3e3b9df437677a961a
SHA512 26f2a50c67901b3b9fa3b1666069899ebc763437d5be7dee46a972a0f10038ef04ed9ea8a7e20f671fb86a7cd8c8ed73c4bb36441db0d24da64fa1a78fd57d00

memory/908-40-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/1488-41-0x0000000000220000-0x0000000000350000-memory.dmp

memory/1488-42-0x0000000072C5E000-0x0000000072C5F000-memory.dmp

memory/3860-44-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3860-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3860-48-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\5ae61c65af.exe

MD5 aa22e27c237d9c1753c1d0f5b33ed5cc
SHA1 4a2814dd180be11b9cb1ecae696d7a7d579e5d84
SHA256 ac7db8694704845e72e96199e21f95630177f59dd7139139a5d1cbe1b26334a8
SHA512 11fdc766d7ec9aeb414d1fd778b5bb58650756db081c4b8e85f1a9c0a160e13bbfcd94b5bee03cffb14c0b1f997425f0f76d8a4bf1d81c1b5a1644474c946780

memory/908-66-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/4940-68-0x0000000000A40000-0x0000000000A78000-memory.dmp

memory/2320-72-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2320-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\1000003002\6bb3871c05.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/908-81-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/908-82-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/908-90-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/340-91-0x0000000000B90000-0x0000000000DD3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\5c15d30a-3a2d-4ee5-b0c3-6b33385621c0

MD5 8d54412503c3b386747f979c4a1ac48b
SHA1 4fdd5f14ad6c58c9874054fcc9820a118154d574
SHA256 bde2c4ce15b950a85be5bf2064e55c5a438875ddc01bea3d4ce7007fbbb4063c
SHA512 5d34150088021dbaeb9cdd1ab0859e1491723b4364312b773d1046d65cf33a57a5b2193576b00be1f44ce3f937fb98c9d55359f5a779f1c142d81454190d552b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\1d5f4017-9e69-4401-a858-ec35c8a1f496

MD5 e6a10257779a5c978ed8b1747a4eba7f
SHA1 eec77b65a3499189dae8d3b5a67daa3297db8413
SHA256 bc8723f882967b4396fc5e15ddfca5762971435e08082c3882f198a027cb2223
SHA512 bc2cfd375460bd855ed60fadb20f6c6d78abbc1bf8e65914bd5a9e4f6a0fba1b4ecd7b34d09fc9a7ed189eeeb0ca0cb75bbd572272624fb70423bd5472e3588b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\bba0487e-88d8-47a7-8fa5-ff3325dcf12c

MD5 939877227b882941ec0a0478c2f0012a
SHA1 7bb035fba4e35a7fdfa223c4b4516f4aed0963bd
SHA256 c763553dbd70d70c58fcdbc6edc13ba434cb837aae62ce7cd90530ae4c20f9fc
SHA512 1d98668bd601aa009c9d0b9ffe3dd11a07a9ee8c9480b404d282bc97b6f17ab82ffee8fc769173c6c4623c19240409913de887b9403ecc40adab56c8cf2e9fc5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

MD5 7ed512766f925f0d59aa0bdeddf0dcf1
SHA1 ca391de241954f03860114e6a29a2fe0c959a626
SHA256 5f64b056ca2c76fc71369be5d45dcd44ca2f0ad0b78fa067ce0178223d84b103
SHA512 efbfbec7576a71425b66a7008e7893183a39ec4f43e831b28ed1ecbdd4aa7b78dd17abb5af1d5765a851b0b397f727ae2cebc61e857a8e0abdea45ec4140bf58

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\AlternateServices.bin

MD5 f03b90d57fa687d268a1f766282d30fe
SHA1 d7afa6d9e7da6193955580f99fae02a805e4dbde
SHA256 b238517aa4e29c1dc6aa119ebb31f31b707962053163fe8661937c6ddfeb9c57
SHA512 c6dd7c52d680ae465d81b818d469e57a617fa07f4f6459d8f4f827d4e8a6e7c405be796b6e9d1df6b128147b6d2ad997544822c7b48e7726a1bab10b2bafe17b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

MD5 ff9988e82c8d7ee447b9b181a263eef6
SHA1 205f571a9a1b3f5a0d504555dddd0159726edf31
SHA256 2e17b4b2dac7d8729355dba1eca7e8b3a614021f7c69eb02edbf91bfb9712267
SHA512 c16371029e97a8c7fe5547bca02ef504c3f87c65d33c10fc1e52748a6f354fd0729e7a3351b85e1edb8d872565f9d32b68a5ca263fad422e584b9ce5039e0d90

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\activity-stream.discovery_stream.json

MD5 470281daaa89b9f56dd66bdc7d18de9f
SHA1 c853c35b1a7bcf2ff6270ecd02c2e27a14ae1801
SHA256 22d06347a14c2bb663b7ae0bdb9ac802835d9995543463199575f3757d73dd17
SHA512 25c54fc2d47ac06a25b576bf633c0ca201db1fd15e65398c31349ca44baf662f8be6775221e9aed97532fc203e3e2e85103538ed38ab5ca8f4cc3d7fa315f0ec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\AlternateServices.bin

MD5 2f3a1ed0f546a9f9d58f4776fddd27d9
SHA1 f019573e8dea695d85c0d5c60133a7467617eee4
SHA256 f19d9e2175f266701589d45f5c43311252673ccb457daa88669091090b4e5691
SHA512 ed61f1493ab1f5102eaee98ed85b4f2337d3d2a786f23b20c995c2b40434a9c410f55d07c7dbb7fd0351bd612dde19be4eb86fda660fe5a69854a67897323f58

memory/2320-406-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\AlternateServices.bin

MD5 04ab9a055a29b95d2211652c4ef1888e
SHA1 9ec90d19342da999113ad40f58a4912060501059
SHA256 ae3c0d4dc24095e478df0fe1e804928de62a8ccb13b6b3a92245e782d8ff5971
SHA512 a4882538c1c542be0acb693791ffe5fd484feab1d878f739e97116c4968bbb442c7541c949570bded092af52d591ec2b27ee41ff2a7eb4e185bedbf112b177b0

memory/908-460-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/3996-478-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/3996-479-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/908-480-0x00000000005B0000-0x0000000000A77000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

MD5 f5433c74ef7a715d4457f3fca9ad97c1
SHA1 660c0aab9368600c48b8bd2df94411a06dede36d
SHA256 1e9c4a5825d27de63fdebedc785426574f5df3a69c2fa465cd1d7585bba2b43e
SHA512 01c8741720468adfa4ab92d1a5e1a55a54cf881e0d071c5b5ad57ebb1eb1de519bec15620a46fb76b357d856c7d6e49c1dd03cd08eabc7b23d042f7026702928

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js

MD5 d7148ce6db293d42dde7e7d8f99def82
SHA1 e90eeed845ec67b1701483d86f1aa0a1ef72a860
SHA256 3640e3abd5fbf444bd06282a8fe8e5f2595159a3c235b21690e5d05e1af42326
SHA512 f481cbc7d14a9943441a0263153f2c4d44de7cec814786c7fc73ec32c33e9e4ec09951199bd54519b260c7d19df888039482d37db97a8ff848c0d3c19f18e31c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 2d409690d863033eb2be250754e0df9c
SHA1 fb9d549b9c9be3acd2c2dd98778d12a7f99e5414
SHA256 b241f5bb5a015439f16e13c545076110489956483796ed96681e6b4659684767
SHA512 dc84b199937ea9958d5bcd6f1d8b881f73fcd7a8da9c64d65df71f2add272c9abc4345535d35ee1f99860723b87c3eb17041154997327095c50bfc69c601a172

memory/908-545-0x00000000005B0000-0x0000000000A77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 930af6f87d58949b62ef36d9d07cb58c
SHA1 ee6af16921af834756359eb2ddfdf1f85d5b5b28
SHA256 9f83c4cf227d348e29c2dd35fd18fbe363403cfca7f1e2cbe37ed3a8a90c315e
SHA512 2ddef5aee3b6a10a899609306e2f01e475d9137ec8c52d179dd28bfce967b7913bad2607f25caf1b2ca1ea7e21a151fda70e2cad9649c25b5943fad23a59bbb2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

MD5 e856a8f13c4ae6f89c90f7325c6a46ad
SHA1 112fc2ed7553001d962c54a264368f68bd423095
SHA256 7fc8678b69886538ddfaac34d85b4f66890829a4d5c18e5a0e7d78ae73601b01
SHA512 f02a378ff25b0a457aca28b004b2186aeb8f0cdc73d540f5e81f25a4f87d91c52f47c76e77172e4cf2a0bb4c9521754acccc8789861b186f331ecb40dcbf0f12

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js

MD5 0f303af499ec674b9faf75d14be61145
SHA1 312f4bb1ce370639a0a79cb9cb37c6890a28d531
SHA256 2cd8d791e22c3640065bac39fafcd6f2b4458c1988fc3d4a224abab4808704de
SHA512 0f099be9b6489d186256dd2f21623e58bbdf2c51721e025a5d521d52a7f16fc056c531676a29e1913a227f1a4410b32f816f0371aabd99d78acbfaa514432c8f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 d365a973ffd6a7f2dcc208ca400e6d42
SHA1 563a284fe277df372ee9126f36ccefc51eab44f4
SHA256 873753db5c86b9f0f8f6b209a8f6f68a95485457a4a994f11985e03ed6508364
SHA512 d66ebc6b9ac2bf7242e18c5462ccdb3c30e877c9e13e3d3c1e68467dcd77e3791d42282441dd747a99c1c21e88268dabad3121e2272391053007a1fd2d89922c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js

MD5 54ec564cb05b2edd639de0c8453bd799
SHA1 561e13acdbd7b832d397726b4a90db45ee0d99ff
SHA256 6a5c527973b6160d49c9d5246ec074e7bc25bafa3a37137887d253d09673a3e0
SHA512 c775a956a7319a79cd62b00afbe3087782842acbc6ce0adcfd4c54db70fd38bd338e86ec95097f8bee9bb978608bd1e9aa3a52633d41c4f009fe2bc4334240a3

memory/908-936-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/908-1626-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/908-2157-0x00000000005B0000-0x0000000000A77000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\cookies.sqlite

MD5 3c8b2eea2682d21d9ea372c07fb9888d
SHA1 708f00ea37410a9efe9d289bb500a9b19f73e969
SHA256 1b415a8c2ec961c456c7d3070e2e236cf7f3292251b7055e4bb931c92ff757da
SHA512 097422e74b48c43183b302203c430e45a5dc418a5108d26c3f4227d87980bf566ea535cdf6f15db6e336d63dac038ddfa27a6a629a46df217dd58277382ea358

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\cookies.sqlite-wal

MD5 741baddcf206aac6eae41b2e888cc3ca
SHA1 13e2c4355bebaf78542b5986e749f189f0a04fab
SHA256 c1e47eafbb2e3d381f596cdb6bfd683cbb207822bda8df7e78a10d71cffd0a9e
SHA512 b927ca57169cd211df5471370c78794d35ab20d314daf12f305269d1a6577368222a64b13e9191077f0ad952c2a50f8d2c70686e0ca6af881e8cb4d6fea242af

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\formhistory.sqlite

MD5 97c1441748d6cc3e5a7030cda7543975
SHA1 f5598a45b101a5404126cd27fbb7f4b70861ee32
SHA256 2015b584b844b091d6a6280d45e9a589ea0feacf5f4b19bdd4cc21c60dbaaf91
SHA512 29d358ec7725038c6648251d8b9c32f3a40458e9c97926e0000ab42f0369b96d1ba5216eeb7c35800c740633dfd3b1e6e6aa73859644bdb9cdccaf2a3516bcb9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\places.sqlite-wal

MD5 e30fc4c5c05ce1e4ddda56de405b50ab
SHA1 dfc4d3eaca4b5584c7c5dae32e3da470cb3b085e
SHA256 956009133a7695fa43e873d242957d5e0bcfc0de98c168de1a5c2ddb48d4d693
SHA512 125526c621c32227213a3a219d1e072debfe424d9fb7288b4cfc4b8e8f9869bf1a4016da21956840751bd5c96b787db83aaf04cc69a29f6322989a35a9d3e33e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs.js

MD5 8d8b86c39ff79e7c743189dee1b515fa
SHA1 3b0b21bb69d2515482daa15db2f77a88a805d124
SHA256 0edf69a1d0790595b0670849998739ed18dbf922e74152322550d3ce6a125fb0
SHA512 c7c49eab8dd2619131c9add4671ba15cfd96971dd4e47634f8cb862245d6c1124c9186e0fc7503facaa636715d735fd5a8996c0b01546e3f135effb5144af9a6

memory/908-3093-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/340-3143-0x0000000000B90000-0x0000000000DD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2824-3176-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/908-3177-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/908-3181-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/908-3182-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/908-3183-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/908-3184-0x00000000005B0000-0x0000000000A77000-memory.dmp

memory/908-3190-0x00000000005B0000-0x0000000000A77000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 20:06

Reported

2024-08-17 20:09

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\45922c1dea.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\45922c1dea.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000003002\723b7eb608.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2824 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2824 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4284 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe
PID 4284 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe
PID 4284 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe
PID 1896 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1896 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1896 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1896 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1896 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1896 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1896 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1896 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1896 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1896 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1896 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1896 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1896 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4284 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe
PID 4284 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe
PID 4284 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe
PID 4556 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4556 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4556 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4556 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4556 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4556 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4556 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4556 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4556 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4284 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\723b7eb608.exe
PID 4284 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\723b7eb608.exe
PID 4284 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\1000003002\723b7eb608.exe
PID 3728 wrote to memory of 1172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3728 wrote to memory of 1172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1172 wrote to memory of 764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1172 wrote to memory of 764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1172 wrote to memory of 764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1172 wrote to memory of 764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1172 wrote to memory of 764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1172 wrote to memory of 764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1172 wrote to memory of 764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1172 wrote to memory of 764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1172 wrote to memory of 764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1172 wrote to memory of 764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1172 wrote to memory of 764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 764 wrote to memory of 2700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe

"C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000003002\723b7eb608.exe

"C:\Users\Admin\1000003002\723b7eb608.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {930668c9-8d00-4d92-925c-edc16355764f} 764 "\\.\pipe\gecko-crash-server-pipe.764" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dfdfb9e-be47-4f83-8ff2-8551a0cc7027} 764 "\\.\pipe\gecko-crash-server-pipe.764" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3092 -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 3120 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c61aba0-ec27-47bd-b5c6-609bcad69892} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -childID 2 -isForBrowser -prefsHandle 3976 -prefMapHandle 3968 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2da54d12-c86e-42db-9b59-806926dff51c} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4772 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4760 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35078fb8-99d7-45af-9685-b31e74153a5d} 764 "\\.\pipe\gecko-crash-server-pipe.764" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5392 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52c7f8a3-cce5-4d6c-a87d-2697498cfd8e} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5588 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5a5ca59-8ffe-4120-b055-ae669c0b9eef} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 5 -isForBrowser -prefsHandle 5856 -prefMapHandle 5852 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50706199-f317-4134-be35-f2a2237a8da7} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6360 -childID 6 -isForBrowser -prefsHandle 6368 -prefMapHandle 6364 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09911f29-47ec-43ef-84bf-cb471f0f4405} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:63064 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 47.249.226.44.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
N/A 127.0.0.1:63073 tcp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
FR 216.58.214.174:443 www3.l.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 172.217.20.196:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 location.services.mozilla.com udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 41.187.194.173.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 24.58.20.217.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2824-0-0x00000000000A0000-0x0000000000567000-memory.dmp

memory/2824-1-0x0000000077BC4000-0x0000000077BC6000-memory.dmp

memory/2824-2-0x00000000000A1000-0x00000000000CF000-memory.dmp

memory/2824-3-0x00000000000A0000-0x0000000000567000-memory.dmp

memory/2824-4-0x00000000000A0000-0x0000000000567000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 a551c4cc7296af05a51ce367e84bca6a
SHA1 b660f9ece06d72523ab860dc11d21cc516a89f88
SHA256 1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09
SHA512 14a8880ca3205f8d62afc8876c7015415c35ebfe530a4a1cab0f474565d3cc6fb3b54ae3cfe8faaffe96a7d8ad6a0c73b68b890fbfb950fff08ea278bc5aa03b

memory/2824-17-0x00000000000A0000-0x0000000000567000-memory.dmp

memory/4284-18-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-19-0x0000000000A61000-0x0000000000A8F000-memory.dmp

memory/4284-20-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-21-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-22-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-23-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-25-0x0000000000A60000-0x0000000000F27000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe

MD5 839be7c9a15556648c2c0fcaa9bfc281
SHA1 90a16d02ba8d7e8d3446937d385b4bc891ed6367
SHA256 94a674f673bd386a4f192d505b7317687e15185b176c0f3e3b9df437677a961a
SHA512 26f2a50c67901b3b9fa3b1666069899ebc763437d5be7dee46a972a0f10038ef04ed9ea8a7e20f671fb86a7cd8c8ed73c4bb36441db0d24da64fa1a78fd57d00

memory/1896-44-0x00000000737DE000-0x00000000737DF000-memory.dmp

memory/1896-45-0x0000000000F80000-0x00000000010B0000-memory.dmp

memory/3728-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3728-51-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3728-49-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe

MD5 aa22e27c237d9c1753c1d0f5b33ed5cc
SHA1 4a2814dd180be11b9cb1ecae696d7a7d579e5d84
SHA256 ac7db8694704845e72e96199e21f95630177f59dd7139139a5d1cbe1b26334a8
SHA512 11fdc766d7ec9aeb414d1fd778b5bb58650756db081c4b8e85f1a9c0a160e13bbfcd94b5bee03cffb14c0b1f997425f0f76d8a4bf1d81c1b5a1644474c946780

memory/4556-70-0x0000000000340000-0x0000000000378000-memory.dmp

memory/4472-72-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4472-74-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\1000003002\723b7eb608.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4464-90-0x00000000008A0000-0x0000000000AE3000-memory.dmp

memory/4464-91-0x00000000008A0000-0x0000000000AE3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\3e791817-ac8b-4115-ba9f-edd9e28bc64c

MD5 e588a7ec6b90a92e56805eb2d9c74c2f
SHA1 931f9858a94f27c31d15c670deda69b946da9842
SHA256 f56718c727143f7cf337ffccf665312c1a3d32dbd8f3ae58e6aa4735706a3558
SHA512 9bb22f384a772e484b148f42c0f1db62703e8b8cc1a1177c0857c4d89826cd90375939b78bb8650981d7b7ed900fce25c45e8098f08cc3c89c92d45cc98142d5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\1f24fc78-7298-4667-aa14-de3626f9bf56

MD5 9f0ee9a67eab08e909cee5426cdc9283
SHA1 52703ab563d62ff8781cc542f72b69cb48f0b4fe
SHA256 e2fa759a29e86b2fd325a89e41e45b1d2ed2eac87fbdd2ed99e357d567449739
SHA512 d54dd13b993677cb5498f09dc8de94e6c0cb84f0d15bb9365f9cafcd64cec124ab77938098a0cc787bf228395cf75a30c8b6726ca84c34d4efdcee7fcae8e9af

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\08d9b8a5-f6e4-49ed-8672-437491f02297

MD5 80d14f335364024645e03a0cb5a8a60a
SHA1 eaa4cfb2ecdcbb92da6d182baf8ca2c3aa555645
SHA256 2e12599ecaee0b36749b28335974bfeb868ec239e2fb0175d827f3e89be05aea
SHA512 13d777094fbe11ffe87c77fe08b2eb936933ceaa6b6b31fdd389bb96a442c46b6979561bc3169f47a53d13770be9a7ddad9ef1b306eb45a46f7ce95fed11087d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 cef7a9aec7bff53697d4b6a7309fc957
SHA1 f85c635c3f6fa6e7a3e5c565209decf37723b40a
SHA256 3f2d65ec18664ec50a88280970fc0cec5410a655baa859cb0304f7923c706938
SHA512 d48000e545a361af20c3641e35869ad62489e7ab9e48be3abc29c87bf51b59560d38cc7f37427ead25abf37b117cc81df221c8534b7eafaeec10d749df83d07f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 015c314f286fbc2e4a48da17283a372f
SHA1 668fa9cc8e51fc49d97242b7543cb033187793a0
SHA256 c64a65509a7e089e4a38ead1879b49a1e46a944a830a1df5bc24e9bf0c5b100b
SHA512 e9bc6d74a9affbfc416bdb8b91f77c2bf85a501d084b309289ed13484396bb355e5eff3ef7055c7ad1a2ce59859794820aa3dbcc2d662d90142d992c4e3256f9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

MD5 a2c34616236a9cc71d8d85f61894091d
SHA1 3e410b018bd571be7ab96d707e33bf5e7e9c259b
SHA256 958d479b3fa9b65f0781e08ffa3669b497316a4aea4406a7b2b6a6c57a49bee7
SHA512 1576bf7153ec44ac7b7d5c602d53927be694b2669caf18e6da036955c562ba2bf25c6ec9dbf65206546dfe175ce3a41a8ca389c8507e4aed661f057684cc4875

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 a9fdec2a6b0f9519843277a46752460a
SHA1 c697f5390951b634541b0eb8670966cce3f1be91
SHA256 b30dd6823fbe899385e62d7a326ebac6233602256c675bfacdb9fb2a52fe0ab8
SHA512 e73b8311bd8ee82eecc8fc8548bdc204a22161c99139348cfce67928214c62f0c7b6cc1da88fe9ff81c2eba90f17d109ed9ef876c93e118cfd16f5b862276fca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 f4970fdf213223b00f6cbbba1f271c08
SHA1 54922a8fb0ac26b785837357a762edbef8f573f7
SHA256 85c4bc4f0af89fa8ec56a2585168be90564a18221c6a98cc2fac517fff6b25f8
SHA512 27bdbcbddb99c5a98b4ba7c483fd70e03acf43ff8fb679950c3b01084802de450c46bd5d4734c2c221a8cc485540ab8b14911e95dfb6caadf42e8221c6d05d04

memory/4284-432-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/5772-472-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/5772-482-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-485-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-490-0x0000000000A60000-0x0000000000F27000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 c26376b14230f2708a8698b37af09e11
SHA1 1f08303ecf770fe9593f3858b81d997ab6a9d3a1
SHA256 d982630a4ee2d6f06b6c395c267549861cc020f0b3f5df5c0db8e954e28344c2
SHA512 3d137e75ed0e2c23d6b8db4aeea9e5fc78195a749e315fdc3491610cf2e7bffbed4425cfde566bab8323ba34432b6665f81282b436698487d538c35ee5a992ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 cedc9d0ebf47ba4a91176b9699850831
SHA1 821d81e9cb358356eee3968eb6ab9dd227a7b991
SHA256 1de8042a5de4d7b70313430905f84b6895a62bffafd5ea1885b33fd5f49c7d29
SHA512 d7d1e0945523650ae042de9bfb425b77bd87b0b5bbc730ac78439488f9e44e1f108b070efbb461805dea3ad628c7e6c26410535a855a5a1b79c8f3ebe214d4fe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 8f34abb2135335a030eb29c76758c60e
SHA1 d0ca5f80541d76e3d2dc904114433d654931803e
SHA256 f7b71d97b223dd1b84adb33be9a0ffcd3cfa7a75fdd9143f594cb8ba52c42739
SHA512 3865df146b08f3e4eece5a9e23ff1c7b9a5e92c7664654952c7b2d22bf249a5ed1b3d09074a7ab4ddca8ec59b1061781b9ad08d30850e583712e3d066e686a66

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 f67bee32c0077e5210032ca69d4f4de1
SHA1 713280c0bb9e33318d6f23378195fb681ada2a41
SHA256 11e81d689f077d9c98beb25233f1de9dd884bf7668f004fc2555a6da0d0c6372
SHA512 9925448b717c817f45babf0cbd5d27093cc5d4fccdc6c9c9b849981af2fb5390d3c908e8042545e18faf138ee8fa6efd3d19f1d167dd66709ca94f534ac416ce

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 724a766bcff4a9a3be0c58bcc9bc2a7b
SHA1 6474950a15115cc9520e80f55212fd670baf6a03
SHA256 33e4c28b9ce48fcc9b2dda8cbd5371a8b801d6532f396489ae77053b0a03fba9
SHA512 6141cd392bad1687e1b93d2fa529eb71bc3e2290775a6219f26eeaadf610c2400a41b800880f47e86a1135d6c4f9725c69c90b756822dd4b4f28f63da5859b96

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 27d9dcf00e7dd0737e6785aec65d388f
SHA1 c3c1e35e463494eefbaa3db192d20318331f330c
SHA256 3b0f776601e12f4e4829e4cd76da63ff91941f8a1ffadfddaa3e2ea7b1a15714
SHA512 7c22fe956f0270ad4234bf1fd8f79988f75b3cc9cb8dcfea33248d296a8df7336015502d81948b9ea7282255b777386198a9724e7725591067e542002730cd8c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4

MD5 aeaf4a2e2680010c33c0b1cf98967342
SHA1 14828ffb012108a88877534c082a1afe57ed86c6
SHA256 7a0269d6cc3f19e2b2be65404c03d5194c861e3e084ec4236319002e0daa244e
SHA512 76abea34bfad6298c0c49e652afed68c99106b6601413f5fa384d6a50a46a611efa770af68cc70215be8fc1f8c5b3a60981f4840f5cab4adb91a618918d345f1

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/4284-873-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-1317-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-1580-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-2308-0x0000000000A60000-0x0000000000F27000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 a5d16b6ffa016f8ac25cf2f7e3983bb8
SHA1 a899ee0a6cb33f8788bb7fe78ac278f87d1faa67
SHA256 48e3330ce516971b2b9fdbeba4957e634e09581da135553a4e743aa528ee2596
SHA512 63f950900e73a61b6101f02bb89851295d021e607e77c7a3097773778a0a25e61bc3f2d31bc9c8fe77dd94b7247a00d292c541bf2813906caf1fee0d125fe702

memory/2996-2976-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-3148-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-3228-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-3231-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-3232-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-3233-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/4284-3239-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/5744-3241-0x0000000000A60000-0x0000000000F27000-memory.dmp

memory/5744-3242-0x0000000000A60000-0x0000000000F27000-memory.dmp