Malware Analysis Report

2024-10-23 21:51

Sample ID 240910-tvdmzsthjd
Target c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76
SHA256 c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76
Tags
amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76

Threat Level: Known bad

The file c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan spyware

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Checks computer location settings

Identifies Wine through registry keys

Reads user/profile data of web browsers

Checks BIOS information in registry

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-10 16:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-10 16:22

Reported

2024-09-10 16:24

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f3c1328951.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\f3c1328951.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{C17978D4-C08F-4C9C-ABE7-B9C8EA1F054F} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3764 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3764 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3764 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4208 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe
PID 4208 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe
PID 4208 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe
PID 4208 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe
PID 4208 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe
PID 4208 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe
PID 4208 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4208 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4208 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 4980 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 4980 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 4980 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 4412 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 4412 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 4412 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 4520 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3052 wrote to memory of 4520 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 2004 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3052 wrote to memory of 1796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3052 wrote to memory of 1796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 2740 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2004 wrote to memory of 1304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe

"C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe

"C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1916 -parentBuildID 20240401114208 -prefsHandle 1844 -prefMapHandle 1840 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63eda662-ec7d-446b-95b1-a4d41c3085d1} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3290c965-63d3-47b4-a557-9ecc2042bdab} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4632,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4952,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5420,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5472,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5580,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5588 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5616,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5788 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2624 -childID 1 -isForBrowser -prefsHandle 1452 -prefMapHandle 2664 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a00fcde-299e-4c9c-bb57-6976dc653ca6} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3716 -childID 2 -isForBrowser -prefsHandle 3708 -prefMapHandle 3704 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {889f531d-2ba8-46a8-b5fe-0af55442e528} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2568 -childID 3 -isForBrowser -prefsHandle 3896 -prefMapHandle 3900 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11a2b907-8ebd-477e-9907-6fe18339a6d4} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4872 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4868 -prefMapHandle 4864 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {944821f9-57f8-4104-9cdb-1daf13e6c2e7} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6280,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6152 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 4 -isForBrowser -prefsHandle 5664 -prefMapHandle 5656 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52c6652e-8f3c-49fa-b2ab-71713cff76b6} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5900 -childID 5 -isForBrowser -prefsHandle 5892 -prefMapHandle 5888 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99c40c13-c657-48f7-993a-72684613fc87} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6076 -childID 6 -isForBrowser -prefsHandle 6068 -prefMapHandle 6064 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15f960c6-7c2c-47ac-94aa-968b476b6465} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6548,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=6544,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6492,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6448 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5640,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
US 13.107.6.158:443 business.bing.com tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 95.100.245.144:443 www.microsoft.com tcp
GB 88.221.135.81:443 bzib.nelreports.net tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 144.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 81.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
GB 216.58.213.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 213.24.239.44.in-addr.arpa udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 64.253.107.13.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:49975 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
N/A 127.0.0.1:49986 tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 216.58.212.206:443 play.google.com tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/3764-0-0x0000000000050000-0x0000000000528000-memory.dmp

memory/3764-1-0x0000000076F94000-0x0000000076F96000-memory.dmp

memory/3764-2-0x0000000000051000-0x000000000007F000-memory.dmp

memory/3764-3-0x0000000000050000-0x0000000000528000-memory.dmp

memory/3764-4-0x0000000000050000-0x0000000000528000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 1de49b3fdc9ea2b75ab877a135a0c515
SHA1 cc6b677a7199fe6c5af084b6e2c23e31ddd02997
SHA256 c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76
SHA512 e7a46814c972927617af62ee8e394e7229a2423231cbaacc1264f2c1d0c48c37bde88956df2fdcc51b4be55540ecc4d85441552be79cacf4e870fc1d1b699be5

memory/4208-18-0x0000000000460000-0x0000000000938000-memory.dmp

memory/3764-17-0x0000000000050000-0x0000000000528000-memory.dmp

memory/4208-19-0x0000000000461000-0x000000000048F000-memory.dmp

memory/4208-20-0x0000000000460000-0x0000000000938000-memory.dmp

memory/4208-21-0x0000000000460000-0x0000000000938000-memory.dmp

memory/4208-22-0x0000000000460000-0x0000000000938000-memory.dmp

memory/4208-23-0x0000000000460000-0x0000000000938000-memory.dmp

memory/4208-24-0x0000000000460000-0x0000000000938000-memory.dmp

memory/4208-25-0x0000000000460000-0x0000000000938000-memory.dmp

memory/4208-26-0x0000000000460000-0x0000000000938000-memory.dmp

memory/3764-28-0x0000000000460000-0x0000000000938000-memory.dmp

memory/3764-29-0x0000000000460000-0x0000000000938000-memory.dmp

memory/3764-30-0x0000000000460000-0x0000000000938000-memory.dmp

memory/3764-32-0x0000000000460000-0x0000000000938000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe

MD5 9f2ea8da04f80eb3da5aa70a8b0dec4f
SHA1 512b90952420f05ba4e9bbc373ca739e62a09d39
SHA256 f5117e607da6f40b945427386ad04ced62b3473351008eed049c3e9653222826
SHA512 c05467a56476014fe6a4866e74ab0a716bde6213ce2bcf6c0eddc9b4702e5dc83d797722f4fe2adfe5bff1eee1eaae435c89113ab53935fbacb9fc760795d497

memory/2340-48-0x0000000000D90000-0x0000000001413000-memory.dmp

memory/4384-63-0x00000000008D0000-0x0000000000F53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/2340-73-0x0000000000D90000-0x0000000001413000-memory.dmp

memory/4208-74-0x0000000000460000-0x0000000000938000-memory.dmp

memory/3052-75-0x0000000002FB0000-0x0000000002FE6000-memory.dmp

memory/3052-76-0x0000000005A30000-0x0000000006058000-memory.dmp

memory/3052-77-0x0000000005910000-0x0000000005932000-memory.dmp

memory/3052-78-0x00000000061D0000-0x0000000006236000-memory.dmp

memory/3052-79-0x0000000006240000-0x00000000062A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djrlkmgq.n0y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3052-89-0x00000000062B0000-0x0000000006604000-memory.dmp

memory/3052-90-0x0000000006950000-0x000000000696E000-memory.dmp

memory/3052-91-0x0000000006970000-0x00000000069BC000-memory.dmp

memory/3052-93-0x0000000007930000-0x00000000079C6000-memory.dmp

memory/3052-94-0x0000000006E90000-0x0000000006EAA000-memory.dmp

memory/3052-95-0x0000000006EF0000-0x0000000006F12000-memory.dmp

memory/3052-96-0x0000000007FF0000-0x0000000008594000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\63377974-e8a5-409a-9803-eee71880b6e5

MD5 a08ed2c5014fb6b32ef5c3f86520897f
SHA1 10532f8383ce1d6cc0177932beea46f2dab66813
SHA256 6bd7f17da90af84ab58492d53c5d266519e9077c6cbf1d28fdfaad0b1dbcef51
SHA512 905a4e440ab6c1f90c49adf14d700cbe3bd40f9d2e8d54d085a6dc31e927555828fe1f15d914045b1206fea48d794cc577ae3a890a9f28e7b256ecf487a64bd6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\5add7805-a29a-4da4-a4ca-de44038ad9ba

MD5 044b2abac64f15686464ac4fbd93891a
SHA1 8cec0f5a5024f43c22cb3b9316f5ee56eed37d5f
SHA256 6223ded19694a01d2ca96dce9adc71d474153f57e99c30b272e355201ef763d8
SHA512 037bda50ed90565e224bc36da25b9725a930e3e326c0808fc3aebc06f6c33120784b1c391433e23903e7b16298a9c7b0af59a76cc557f7c11c06b527df53b00e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\3b1a7bbc-3995-4110-9697-a7e477baca17

MD5 bbcbc522da226b865ea75b510194b067
SHA1 492b64d49c1e7073bc7902ab39a68a5faa75f346
SHA256 e909848a50d7ceba710c8accd71d50e191496080ab7550bf3ce2e5869a053a17
SHA512 d061d96f527df328d8d10e92be6e6430092dfd9ec5a4d97134473a42d992ace56d383431e6e57ecefb7f270ac32c073bd024b85a334613d7d5597b745f5613c6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 4eb68bd27070938505289a76f828178e
SHA1 11cd09be411e9f7bb7b2171b2651b05bb2347cc7
SHA256 8b1175ecdc00591d721b78bb8f71298ddbb3419b7eefbc389f5a946905d23732
SHA512 49100213897fc65e33bb955168ae5d41d036e727f83889a3cc49e023ca9530cccbecfef86890fbbe25068f5a199a16ed6571bab8447cdec6982e438d368f3342

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

MD5 e182f2c751a4bc5ff06a64e61653dc9a
SHA1 9ee6cb9f0beadce14be58bda7935adc589480de1
SHA256 f6d6018e5d7ab675d9c878dbd850d6bfa8bca368608b8774a0e6c37a6296a20b
SHA512 c53f6598df1a88347cf4f0a679e9cb65554f514bfaa1b42bd3493d4fdb1b3c221ba9c947ba03467088459b67a3d6efb3871e902cb697ac3dfd595c7cfd7d4c83

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 580cbfcd295127a7389e671bd57205cd
SHA1 be2128b38ae471b59da53bbf5a5808ae2e00ac9b
SHA256 84f5a2d9543fe1839aa11d860d45e1c5b0dc5ef116a70846b4fa6ab1a7caaee7
SHA512 9047a34ef5ceb33be98c22e4cef9b12ac8282152a7918990b98dc90744767c952007e48fb64ef4c3a9cdab385121084fdcc5c64ce7382794344544579513b6a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 c7631790ff357f68f8ae86ed51ad93fe
SHA1 6c4e2f9cb44be8f3fc78cb178641c6e8001a897a
SHA256 fa3b1ee59154f2242311b0ba4870509b5232c1c374335690ab0c897c878d783e
SHA512 149fc104ab40387f3392f4d459a94c6af2a6643cc073ecb5f1a30ebad99a1b233806773c3fc6970f5c1d9bf393aaa98efba3ad089d16dd82a209dc48db2cecf8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

MD5 9b24966b0b9a91ec7099ad8f736f2ac6
SHA1 2d9d5a0438c6f64a2a66b585c6f8f7ed70ad05a3
SHA256 3e11dfc242d2ab474901bf5bc146bcdac78d6c3d0cf6d8219c0d4ed84930d789
SHA512 673c40e978170ab3a30850e45d9df41e08fc9ab1b86dd1c1ab4ba73b73f4b193175ae8db3850bfc5795b429e71688cf243c45f85dda6f44536cf8fdaff01c5f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 3512ede77f220002616fa8ff64b76648
SHA1 39a1d6697bd9d0694de4ef0aeb3e97a47da14e82
SHA256 dc0a4743caa1ba01657220bdbfd72e9f519fd196db643fe59f091b2c1db648b8
SHA512 7b538a82b3a4f3ceac449e3018aafd4337792c218fd0a46f06ee46f7f0ae2531ce2b07707960c106974e33d93fc4b38e49367002199ded5b308c322de3defe1e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

MD5 5c6ec8f69ccdfeb6037a2905fea76286
SHA1 d5aefacfdefa093b7f712f24d92e42bf5ebdd585
SHA256 20f41f6444a32c7a44eb05857d78c27dee0ae5745ee65c90e4ec666adf6d1f08
SHA512 1b3699b6cfdc731f23174333771d122fdc62f85c01128938b7d358d47e294ea0560557e52ed975acfbb12d882753c736616122ca657f0efa28de8eea20f55095

memory/4384-429-0x00000000008D0000-0x0000000000F53000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

MD5 227aa4d7fd37509e7f01352cb3c3abf5
SHA1 0a729d5c58790e544a918a8f9349878b98137867
SHA256 20229743b6b13efa8def6d69919b8713e1cf9eaf2e2e33e183b52ff8e8a91eba
SHA512 b267fb9560504d7000d6feefbb054833c71fade0757488dfafb553713dc00030ea25bbe0e199f7391ca1e57d85b95c34e83e694fc9ce8a2119e9b4d4186f3b22

memory/4208-492-0x0000000000460000-0x0000000000938000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

MD5 ffc2c80cea67e1f06f45937ae2c96baa
SHA1 d55c07ec1c9fe4bd3e057a8dcfecf96ab4071ec8
SHA256 4e19980877ec36aebd0d791d558d2cec19d2cb1a88e4598d758d9fdccba0a38a
SHA512 e7097f7b3525be52b4ce84ff235b043f5e0cb5502e9e5eca22fe607a038125431ce2085c5d919af816f603d2bfe471eccd19077889b345f2baaec74cac023d42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

MD5 0e7a922649e01b53c1e261923721f119
SHA1 86f1db57ce227083de1b5413a303438255ed54a6
SHA256 3aaa8dddd786dff26a935d91b3f746d11bd813eedfe8594a431072efa7133722
SHA512 3f9e9ed3be3eec5ee6a96afd145359b11f3d8297c22844578f28f96ba9345cebaebda2ac1a0a6a42813720075720fa983238c5bafdc9cb85c8775ba48f328286

memory/4208-547-0x0000000000460000-0x0000000000938000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 e4a97e3aa9504b863596edcfdc7da9d2
SHA1 087f78c25232b9d3f34782b6565409c9dc557ad3
SHA256 07a03019804f00c307e5e82306e8c5aa22762e1d24b5c7d38fd9f08f8d1f616e
SHA512 223f6e1910e32ffc543a01c26ce01126fd096a906e4f31edefdac0240edce6b9012a42f270f9257cf89aeb321373cdde4115ed9900883a9c650003cf5ead9a35

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

MD5 8acdc0b38820e4d8c8ced1f01a4a3455
SHA1 d132a5c5072cf92f3e07762bcb8084743e3ae317
SHA256 8669195a465bc13565c2e80591bc6ec23a9e70d963be99d9f105d7680b95f2d1
SHA512 b2f957e1c98d758c515e8acf25c985ebea8f0f97340f045406c663866657931822c8d8a232485b6571f909adc94035569f77201acaf6df99dd1751d52e5f8252

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

MD5 9b0e4f32d7cce28e44a45ba7eadd9f29
SHA1 8fdffd3002a145fa2f2a973ec5f1a8e631f8ff65
SHA256 17ecfca09d3c94aad0c8caf7fcb31f11f715d1cc6bce38cf6484a7cf01c5a330
SHA512 b062554dcb4136b1f81b4929ea2d796291ff67c93677e2d0d081153f1494f995d964c4579ee1638c0ed0f8000dede8de8ef078b26b99e20c5ada0bfa9e500d6e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 2c0ae0a0001d9287bd22cc196fd0ae8b
SHA1 3c9a3b267b04b65ef75824b98dae4001f056e493
SHA256 eb95e13dd835866369a08e8a23c05f09b37f040254330245fd14eb2712f42a79
SHA512 54f56e98a4dd443e145391df76c68258ca1c17e75201378b95673ddc9c8de5db3faa2edbaa23db6a3427132f267ad95b48bb8e167a0ddaadeb456d96ba68502f

memory/4208-627-0x0000000000460000-0x0000000000938000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 17bfab3a1bcbaf369e21ac20e497bff5
SHA1 2e9cedd2ee1f5474bf1038a31e4878fd3523d5a9
SHA256 9369aed3555c58e35bf73a062b687fe7b41d3b4704905374f2d40bb4f75aa406
SHA512 3264ec6a30c927ff5aa5ca8a049d22e579bb58ed69356e2db77b3d3e266ef06b67ca5bcfd6fb8845beaffc4c2d1d5169a85af6236549945329acd9f266ce79ac

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

MD5 66a053af0fbba029b735330a8fc7e233
SHA1 81de8201daa5e8d9fadc5a33d5b38b2f88be5bda
SHA256 3caf6ab1052e480777843ec0310f46ab276265714df26542af2b3fb84605f682
SHA512 bf73347115411d50bb255eb7c62c7c80a470485b954eaf67a0ae94680a9655f28d906d16c9b21a77dd4db7f6702905c796ad1682f871f8fb3718f1c8dff966f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

MD5 f78da9a36a698903d7dd0ec190c0da5a
SHA1 1fae3f817abcd0991094cf364a64b4e43d692479
SHA256 ef47ecf4951c89e546f7a80991b73dfcc9add1b262e61a1cde46717ba8aadd8f
SHA512 b48e2eff4f713a050c7ff7285318115c4c1d36d9d7a74dc3ad7a42bb34d0ea0697edc61c4fbd1512e72f1a9790c4db976ece4071dce78af2f0b253366aff1be6

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/4208-864-0x0000000000460000-0x0000000000938000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

MD5 0e3ff9f5f5d1e4684c4798ddb360aeb5
SHA1 142324efedec87d079cc7b1edfbd66ac7a6cc59b
SHA256 f294e51a75f104a44581b68f49617b45c76e16e08a604a725822dc8890c3b8cf
SHA512 aa6e892eaba458f94523e49565b397e384bba99f7879ce06808462cf63d37112ab678769209769f3504baccb6756a3a73f391a750eb379736fc576b09302bdf0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

MD5 54a4bf8e59636b1a4630416d6c0e3197
SHA1 ef9f0ca4dbaf2242bf6ed28758d3202dbda9a169
SHA256 0e6c4871c4d4e61f2165b3d15c26a2b56a38eda37d1cba49c5a1c4ca2af6e9d3
SHA512 d3144342d60ca4742ee8e3668da55778a494b78bb3bc106441dbeadfa5d4fcc640fef62557306a85f4ba057810c10abd6cf7cf1c88dc8f47653edb3697496c4f

memory/4208-962-0x0000000000460000-0x0000000000938000-memory.dmp

memory/688-964-0x0000000000460000-0x0000000000938000-memory.dmp

memory/4208-1183-0x0000000000460000-0x0000000000938000-memory.dmp

memory/4208-1530-0x0000000000460000-0x0000000000938000-memory.dmp

memory/4208-1592-0x0000000000460000-0x0000000000938000-memory.dmp

memory/4208-1926-0x0000000000460000-0x0000000000938000-memory.dmp

memory/4208-2295-0x0000000000460000-0x0000000000938000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-10 16:22

Reported

2024-09-10 16:24

Platform

win11-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\fbc86abaa9.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\fbc86abaa9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\fbc86abaa9.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\fbc86abaa9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\fbc86abaa9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\fbc86abaa9.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\fbc86abaa9.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\fbc86abaa9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\fbc86abaa9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5084 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 5084 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 5084 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2496 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe
PID 2496 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe
PID 2496 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe
PID 2496 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\fbc86abaa9.exe
PID 2496 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\fbc86abaa9.exe
PID 2496 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\fbc86abaa9.exe
PID 2496 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 4764 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 4764 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 4764 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 3568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 3568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 3568 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2372 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2376 wrote to memory of 2372 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 1268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 1268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 1268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 1268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 1268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 1268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 1268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 1268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 1268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 1268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 1268 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2376 wrote to memory of 3440 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2376 wrote to memory of 3440 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3440 wrote to memory of 952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3440 wrote to memory of 952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3440 wrote to memory of 952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3440 wrote to memory of 952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3440 wrote to memory of 952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3440 wrote to memory of 952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3440 wrote to memory of 952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3440 wrote to memory of 952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3440 wrote to memory of 952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3440 wrote to memory of 952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3440 wrote to memory of 952 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1268 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe

"C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe

"C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\fbc86abaa9.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\fbc86abaa9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bc5db79-11cb-4fd2-9aac-a1b2b49a8f58} 1268 "\\.\pipe\gecko-crash-server-pipe.1268" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e527517c-f310-42f4-af96-a93a43a98790} 1268 "\\.\pipe\gecko-crash-server-pipe.1268" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 1 -isForBrowser -prefsHandle 2716 -prefMapHandle 3308 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f44aea20-a1e2-4200-9f39-f94610a36e7d} 1268 "\\.\pipe\gecko-crash-server-pipe.1268" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3320 -childID 2 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 22631 -prefMapSize 244628 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16a9edab-2c33-47f5-a9d8-d4b8692e112e} 1268 "\\.\pipe\gecko-crash-server-pipe.1268" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4168 -childID 3 -isForBrowser -prefsHandle 4144 -prefMapHandle 4140 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e24dbd2-cc34-43a2-b862-7d675bd93793} 1268 "\\.\pipe\gecko-crash-server-pipe.1268" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4668 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4680 -prefMapHandle 5056 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80a0d7eb-6bdf-4c03-8dac-48b014053b32} 1268 "\\.\pipe\gecko-crash-server-pipe.1268" utility

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5876 -childID 4 -isForBrowser -prefsHandle 5852 -prefMapHandle 5848 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8621709f-cc35-490d-b546-d47586e11890} 1268 "\\.\pipe\gecko-crash-server-pipe.1268" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6008 -childID 5 -isForBrowser -prefsHandle 5484 -prefMapHandle 5480 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b913003-7db2-45af-820d-2f625a72d595} 1268 "\\.\pipe\gecko-crash-server-pipe.1268" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6168 -childID 6 -isForBrowser -prefsHandle 6248 -prefMapHandle 6176 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {159f7c15-00d2-4b99-a75a-1fac98c7fb29} 1268 "\\.\pipe\gecko-crash-server-pipe.1268" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
GB 216.58.212.238:443 youtube-ui.l.google.com tcp
GB 216.58.212.238:443 youtube-ui.l.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 216.58.212.238:443 youtube-ui.l.google.com udp
GB 142.250.179.238:443 youtube-ui.l.google.com tcp
GB 142.250.179.238:443 youtube-ui.l.google.com udp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
GB 142.250.178.4:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
GB 216.58.212.206:443 play.google.com udp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
N/A 127.0.0.1:49858 tcp
N/A 127.0.0.1:49866 tcp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 142.250.187.238:443 redirector.gvt1.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.179.238:443 youtube-ui.l.google.com udp
RU 185.215.113.103:80 185.215.113.103 tcp

Files

memory/5084-0-0x0000000000D00000-0x00000000011D8000-memory.dmp

memory/5084-1-0x0000000076F96000-0x0000000076F98000-memory.dmp

memory/5084-2-0x0000000000D01000-0x0000000000D2F000-memory.dmp

memory/5084-3-0x0000000000D00000-0x00000000011D8000-memory.dmp

memory/5084-5-0x0000000000D00000-0x00000000011D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 1de49b3fdc9ea2b75ab877a135a0c515
SHA1 cc6b677a7199fe6c5af084b6e2c23e31ddd02997
SHA256 c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76
SHA512 e7a46814c972927617af62ee8e394e7229a2423231cbaacc1264f2c1d0c48c37bde88956df2fdcc51b4be55540ecc4d85441552be79cacf4e870fc1d1b699be5

memory/2496-17-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/5084-16-0x0000000000D00000-0x00000000011D8000-memory.dmp

memory/2496-19-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/2496-20-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/2496-21-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/2496-22-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/2496-23-0x00000000009C0000-0x0000000000E98000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\758ec6c072.exe

MD5 9f2ea8da04f80eb3da5aa70a8b0dec4f
SHA1 512b90952420f05ba4e9bbc373ca739e62a09d39
SHA256 f5117e607da6f40b945427386ad04ced62b3473351008eed049c3e9653222826
SHA512 c05467a56476014fe6a4866e74ab0a716bde6213ce2bcf6c0eddc9b4702e5dc83d797722f4fe2adfe5bff1eee1eaae435c89113ab53935fbacb9fc760795d497

memory/2496-32-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/3852-40-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/2496-41-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/3852-43-0x0000000000AE1000-0x0000000000AF5000-memory.dmp

memory/3852-42-0x0000000005300000-0x0000000005301000-memory.dmp

memory/2040-59-0x00000000002B0000-0x0000000000933000-memory.dmp

memory/2496-60-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/3852-61-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/3852-62-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/2040-63-0x00000000002B0000-0x0000000000933000-memory.dmp

memory/2040-64-0x00000000002B0000-0x0000000000933000-memory.dmp

memory/2496-65-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/3852-66-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/2040-67-0x00000000002B0000-0x0000000000933000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/2376-75-0x0000000005230000-0x0000000005266000-memory.dmp

memory/2376-76-0x00000000058A0000-0x0000000005ECA000-memory.dmp

memory/2376-77-0x0000000005830000-0x0000000005852000-memory.dmp

memory/2376-79-0x0000000006170000-0x00000000061D6000-memory.dmp

memory/2376-78-0x0000000006100000-0x0000000006166000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1f0cvd0n.lui.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2376-88-0x00000000061E0000-0x0000000006537000-memory.dmp

memory/2496-89-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/2376-90-0x00000000066B0000-0x00000000066CE000-memory.dmp

memory/2376-91-0x0000000006700000-0x000000000674C000-memory.dmp

memory/2376-95-0x0000000007860000-0x0000000007882000-memory.dmp

memory/2376-96-0x0000000007F90000-0x0000000008536000-memory.dmp

memory/2376-94-0x0000000006C40000-0x0000000006C5A000-memory.dmp

memory/2376-93-0x0000000007900000-0x0000000007996000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 04974d942aa8fc2a872379574378a587
SHA1 39d9719009a6a2909ce18bc8ffc228324d9133ff
SHA256 30c31ba3c0c1c64c27baa5888eb989008ecaa1df8fa9b45daabd17790629b03e
SHA512 d023d701499da9cdaa74c09f5420c1948409e95de3a8b668fe248826f79664de39a00a485185a824655cf6513eac258d63c4a60cdeafafef94e8679cf898a09c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 390dcb59719c36c635b11c032419a0af
SHA1 09002d2a86735c5a049437274cb819d14ad72cb9
SHA256 29d92e4c4310e652025f9451165608a8b9f71585cef3579b5b5a5c8380ee7a25
SHA512 c1869a2608b6aeff6f247c433df5a4dec6fa84cbe65bbcc3a77a44d8e5d357ebb25b7b4425f42302551d79846b4548f3798701d3480cd71dea6c2e10608288ee

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 be345f723f3edeb2844adcd25546eca1
SHA1 56b64536a42b77acd1d54ec3e87f5be94af3f8b2
SHA256 6f6875e004e94153781926ed76eff903f79069e3f987116ec9ceb9ba282872c1
SHA512 d9fd0820300f67ddaea1a1ac7caf14cb6a79cbbf5ca5b27484f7d4ce3d6d6b6d9ba492cdeb42aa7dfdf6e9ce34a90b4109589be9ebf9be65df8e0ee5a4d29080

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\c08609a3-ca65-4770-83cd-592c786cbb66

MD5 361d1511148cc8643df9b69f84e44c85
SHA1 9b2f11e4fb38e35667fd833af2adb09d3d37cae1
SHA256 3fd04b38ac159f5b18facab49be8a11acae2c8f10882d9f5b1a5bc1019595a9c
SHA512 b77f2e61e2e236367d0828ff7daad9f0fa3d1b61f748161054a6bfddf76f6f571aac4e6e3aa5868959c493cfa564602a11afb9a23d1524cc415d447ff621cdf0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\5d11e118-04cc-42e4-8afa-521c9ce015c9

MD5 ab710ea3a9d50acb1eba342f2df5995d
SHA1 ce191822205350526f02c4fe78501e9ec751d8ce
SHA256 984d9d701fc444d0957741a21733a9d3439a7d52e8c1b199896df8ce72b6c892
SHA512 ed52700bc3d2f499bab669ba69689535fa76f054fa565b910e0a99069e5550d7b2e0416f14dd954d25f9be4c1126ed4672e7e716a71d6e3cf83e519c327d90d1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 2d74b6c95a1a899e94088aeec60b0a38
SHA1 e1f64c82a272ec347e5949f094cecfaaeb4c775a
SHA256 7288b11fd81966f9ff9a0b0cd8961ae67817b5460796993bacbe47ef7f536e81
SHA512 491eaf910d2bf411bab5f8623b93531dfd6c3a96e36d8ca11f4749b59e739d71abaf0a233fc84e61bf3314bfad649253b692baac7d711dc74e1989d457e0aa4c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\2b1b1535-2881-47a8-a2e0-f26256a70fed

MD5 f79147b0ef3e277cfa809630a7eec8dd
SHA1 0645937ae01365564e48a2e172a2366c6b02ab4f
SHA256 3b11a73be7527222c3719e468b4e6d95a8899eed42bfe4b431ccbf152d855e84
SHA512 c8f63b1b82a57d11437cfa9a67ef50cacddffc796ce9abb672f4089f488e87ac9925cc8696a6a27647a9a0c0726a9daf0340e61def2241b55a74690815c0da72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 e1b3a31c8523ed10401696ef35b631d6
SHA1 a8c0f98fdffc1033139086fb5a383c54ce930cff
SHA256 259c36381a7fe8b320aab035d2050f7e6b4c06a16563b034bc3f7c55e860574b
SHA512 417cdd8ad515b7d6fc2bfed8e2484af2a905986303985bd81293f812f43ab6971440fac3fc00a4df0147206bdfdf18e8531d47808fd4b7de2bad6752229d1061

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json

MD5 871f0e7b1530998021962da38cb494df
SHA1 60a2001717591fe18b9671e279d9014facd8b99c
SHA256 8cba45150a3ea39f0c81354ce2c419e1f4382813efc2434a6c3a249287c2f048
SHA512 eac7b482b68b962930c1b2c79e581397bc1187867c52d448126af93ac6d73cd5b8407e1c08f68b09e5a3ef3628c52efdf31d10a8c99eaa74db546681eb4a8ef9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 abc6736642257cd0ffaa96052a556e52
SHA1 6f14df2b00bf4d248baef8abda06a3fe0c82427d
SHA256 e088eaebab6b5fef507b3c76f184fa92da2d1edf4a9f98f64849e588028d460d
SHA512 403d06ea325d45e3b22ca09a81ae96a07e0e45fbf47bcde46ba8e2b4d14e12ff8258ff78d920aabd64a8789e00d25680695e996ca7c4334b5fac0539f296ead8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 0c993624b2b370a507e0b848ad27d3e5
SHA1 bc9bfbc5d980ba8cfeb160421bddd73a4d1a9b8e
SHA256 37c84eed741ebaa69c350efdefdecd3e6868b114b5fb143f1bf5e16956eaa209
SHA512 f0d05774344ca55bf2baefa6a13c318aaf4557c83b0019044fe967150b1a09224a92a4a975f828bee0929562fb265cbec04b332c125ed1997c48456df56b9c30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 a92b8c54c202c28d7657d2a125d31577
SHA1 d232afe6a9fc0d70b0f684ff24bc77b0ec08926b
SHA256 163c542713855a539bb944e94caa104835b2f48fa180162739ad5bf15198a193
SHA512 c989ac2d6fd17d44649a98c4de38fab663ed162ce24d55943d6144197d1914631c3964ba2b8646b261b116f0c5be43f45adcb2a5e020f82d48cfeef3155dbcb3

memory/6024-433-0x00000000009C0000-0x0000000000E98000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 33ebefd0e7265ca917f96c12810ac4f4
SHA1 a750aaf0fe2c4f8aeed3d8e895a80c8d77a9f61b
SHA256 73220ea294e7d5040e677c40004dec08d05455cc9297e4e03db57309d55fe2ba
SHA512 bda3013eb4fc62fa10de8725df83c617f2b3de7967b83eba89df7eac938154c82408d47e46503af69e38c77c557ee9b926d31cdd9dd36374d4131be1c8af3b2a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 b515972d23f7b41f198df9f91d6ebc5b
SHA1 d7e55530df0db01f247820bdca2f667642b993c4
SHA256 a62948a5b36c7032a8ca576de544b7636f05fe3eee61b45225e3fc5f52a738c4
SHA512 607d941c05a1611a89ca98f1168fa0400abf3c3eb4dda2cdea7d8430e56d12a8f21b6de30e03a0f3e1e8ca82138c0c4c2cff010f3a91c4ff49b529e3c536c284

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 defe8b3a3d4c234af0f682398a19381e
SHA1 4d897c04bc956836454c1b48e7142c28c259f372
SHA256 288f147e5975438ea590717e1102358797dea0cf5fe77c154e1236dca6a9c231
SHA512 19fac2064a5a9a3b7b5bd6e4b1bb8c0b9573271dc029c802113114ac34a0caa61522103d5660bd39db025d78a282e74688c66ee2db60712172ce9cda051f448d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 d5b2b0631c2707419c3f6f9e2e406964
SHA1 09d80655ce934cc7b6a29ce554edeacd425c0537
SHA256 b4512e815c0401a008b6b85041bc220e78466b86b141d30ea65e33efe0f2535c
SHA512 eeb82e6f49fc0030ed9b7010181e8792d5bd537cf1ba5347fca4b41894dfcca16da1a245baee2c62d6a62086c73c9b28b5b99fa71a9e879242c721685573cf76

memory/3852-537-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/2040-538-0x00000000002B0000-0x0000000000933000-memory.dmp

memory/2496-541-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/3852-552-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3852-568-0x0000000000AE0000-0x0000000001163000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

MD5 f21ec48573c6598d276c449f70d3eb19
SHA1 2a2afb876ad3e506f966c6f61c7d6091229340a8
SHA256 50b87b818ae8f874664e1bd02bc215978e3f59e368efb794f44a8649baea8931
SHA512 ba4b78ef89d9d23061cc2705964974eb563c6f8a2a68962a65581de2476abbef83797981d582e0030251f0ec1cec5c12435f543589495b6430c48db1a80d7ab3

memory/2040-575-0x00000000002B0000-0x0000000000933000-memory.dmp

memory/2496-587-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/3852-594-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/2040-595-0x00000000002B0000-0x0000000000933000-memory.dmp

memory/2496-596-0x00000000009C0000-0x0000000000E98000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 7db2725db72e462cff78a5635620376d
SHA1 6d2b617ce5ad44dc1739f3694fd91dd97260b986
SHA256 dd92d331d2a65924a0d7390f2012944f0607370f79d5042736c802f7868ca509
SHA512 132272f14fe96630abf04a930b8c7c73c1dd4157c5106c35dd10b7da75ed12e1ca075fda0ffde2d98f7e3c23a559eaf81d449266b29344d23db8ea6d3cdf461e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 170044e1351874a892b6efb8ba97d6fa
SHA1 68612fe8664d3160bce56d225482b2194a8c205a
SHA256 00b2ad5ef05ec64b49b5f506bb4297e61504a7a31a73117fdb263ff9424571a8
SHA512 5d857b1384848522cee2e3e21d3bd26ed13121afeef9103fd5930490e58f1ee4177d1e7d553927f88dac6d2aa5563b1a80145c5b125f8df0345d64a3cb2859a4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 7d3e30d9cec169d387a32f2df25eb1eb
SHA1 b82283e64b839299cfb98d586aebebf6cde299b6
SHA256 befbf3fc193167fb875aa22ad96ad684d6aaf5bbb5aef2299dea52efd064184e
SHA512 fa5e3edf877b63c9298e09a360742ac5dcc97c8877ed3ebfaf0a5587cd61e2f06dc040d3cf0b82519b87c6a59c568d352fd7ef83f3e6ce0d45fadbb1cd2982ee

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

MD5 cd50d2da9513bab0b05acadd8f202305
SHA1 e0f10fbf1ea25353fea0b1d4f8f2f1dce7b3e60b
SHA256 bb475d73ab5a0f0bcd142fcced8beb20a7b00f30af3d00a8b9c01a6a8abab94e
SHA512 401a02b3e04e52b62f0ae989d43313609182b9ff064b77551ab397be77531cce1d55102e60d5670c0d29077fd098fb2f355a748c318b74dcdd1da2f6290fe435

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 67cf807178c959be3a9172fb1b60101e
SHA1 a03fb5686255b1e4b593f17ca87f812ab2453851
SHA256 564da6b653f68db1f15e6b46d2a949c5a979d7c01d338ba036fd075468a2036d
SHA512 ae91ebe6379498d5d7e4007c87fa37f44430720b5a77d31afd30e08dbf24ff5b153aa987460e34db9d736c48d77bcbb60043350bb6ced9d899e870f9e0ceef6e

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 34717a345264b88317280cba4d5bb093
SHA1 4304d7538fa21c995b3b4a634a736c901f060704
SHA256 e9b55db7236b7f5d96f00d8ff75a0b46a57e0a8b90a63add450d2d187748e3e3
SHA512 2bcb3b1b58301d560b0eb2ffcf909ef5ba0b077c54698eb56c5f24bda4de7b2de4ef931b1b4eea1f4bbbf8c67b9b1ba73f23c8973cc478e80365b31c2e8af9cc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 e7f810098b0dfcbd109cf537a95cd069
SHA1 31538cbfdbc71f4ce3c81cd88cdff9a03864aaf3
SHA256 d2d5fd8e26e73d29094caa3f2a83c25e93903add759d456e736c4fa23e449cfb
SHA512 15f91673b1145cbc7585a531e399999f1562625a87cc22fcfa7b7c80df84c524741ae139fdc9ecef56f20da1f66943703e780e316ad855eb94ec2e0035693789

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 3a0ea820f9ffeeb8f1561e25a0710125
SHA1 d7abbb79f174b770beac68470cfe124686b12fd6
SHA256 bf33f36b6f5bd40ba6c0189554b21a2687a99cf409f7893684f7fc69219368fc
SHA512 b0fb52732c4283db7c72aac9abbd1985d7b0d565397084edb8b005a4c61ff997515d953f8f6f3bf27525f28fea84cbdbdd20b18259ad35a3b62ced5f92be9c12

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 dcba7f272044856fd0ca9be9eb08bf9d
SHA1 c2de8418071269a9921ff4e1aed614b1f90974bb
SHA256 1c16f4131a06a046781b96c4ba5dd094a3d8d106ed571ca972bdb08afa4c7759
SHA512 b5cb1b57fc84ab7709e63cfe82f03fb78684ed4522306784091bc0ff3543664c6e9805be9ef52641a2389273abc66efd55da0dc0f7a173bd63cf96260f020a9e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 d3c9a9d80a2237602a1b573f87700794
SHA1 63fa4ff94596a2d9881740aabe79cddb5f2778d8
SHA256 eaf5f4d66df660d461536dc5a018c1fcb3123849cfb7a521e4fe45ff70687c03
SHA512 aa7bdc0d50fc4260f3003a75c8237f6191dae422319ee833e5b25a940e0b79451f1f7a1583c3d3d214ef38748e5e517cca414406b158513f96e0e2a985200165

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 b13676a597f61998278f945b38f436e6
SHA1 29a632400137ca33bfd0ec8d3923d49ef3fe64d5
SHA256 d172700e328f081cb7101189c056b8354a74cfbef3e79a66636fc53390a8fd69
SHA512 2b8d286c4eba66b586bd424343e317c481bb6ae696d3137560eb8a00c92069a82f9134dee274e3869bed80bc11918a900538fe82caf992d505c610bd91f189a1

memory/3852-864-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/2496-892-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/2040-893-0x00000000002B0000-0x0000000000933000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3852-1060-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/2496-1061-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/2040-1062-0x00000000002B0000-0x0000000000933000-memory.dmp

memory/3852-1141-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/2496-1172-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/2040-1174-0x00000000002B0000-0x0000000000933000-memory.dmp

memory/5800-1349-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/5800-1350-0x00000000009C0000-0x0000000000E98000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

MD5 36e5ee071a6f2f03c5d3889de80b0f0d
SHA1 cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA256 6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA512 99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

memory/3852-1590-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/2040-1652-0x00000000002B0000-0x0000000000933000-memory.dmp

memory/2496-1710-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/3852-2265-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/2040-2323-0x00000000002B0000-0x0000000000933000-memory.dmp

memory/2496-2374-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/3852-2671-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/2040-2733-0x00000000002B0000-0x0000000000933000-memory.dmp

memory/2496-2800-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/3852-2953-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/2040-2954-0x00000000002B0000-0x0000000000933000-memory.dmp

memory/2496-2955-0x00000000009C0000-0x0000000000E98000-memory.dmp

memory/3852-2958-0x0000000000AE0000-0x0000000001163000-memory.dmp

memory/2040-2959-0x00000000002B0000-0x0000000000933000-memory.dmp

memory/2496-2960-0x00000000009C0000-0x0000000000E98000-memory.dmp