Analysis Overview
SHA256
7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778
Threat Level: Known bad
The file 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778 was found to be: Known bad.
Malicious Activity Summary
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Executes dropped EXE
Identifies Wine through registry keys
Checks BIOS information in registry
Checks computer location settings
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Browser Information Discovery
Unsigned PE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-10 17:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-10 17:57
Reported
2024-09-10 18:00
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\svoutse.job | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe
"C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe"
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1920 -parentBuildID 20240401114208 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {adb42150-171e-4ae3-92ca-8c9ecef32e0c} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" gpu
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd011146f8,0x7ffd01114708,0x7ffd01114718
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2380 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9fa75d4-b168-4abc-acb4-ce3c36cc8f45} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" socket
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd011146f8,0x7ffd01114708,0x7ffd01114718
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3168 -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3080 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b89ee32-d366-404f-8945-2689ebea550c} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3604 -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 3592 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {579e6ed9-cccb-4d24-811a-79febf974857} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4092 -childID 3 -isForBrowser -prefsHandle 4084 -prefMapHandle 4080 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2260201f-6be3-4267-8ed3-86b9b9e25c49} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4484 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4724 -prefMapHandle 4488 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc7d9fdf-a7f4-477a-805b-44d6a7c8e821} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" utility
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3852768388798091144,357844033713910031,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3852768388798091144,357844033713910031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,3852768388798091144,357844033713910031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3852768388798091144,357844033713910031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3852768388798091144,357844033713910031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,26049835834727229,4416666535191684659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3852768388798091144,357844033713910031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1468 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5816 -childID 4 -isForBrowser -prefsHandle 5804 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48347611-c602-48d9-bce3-a0b6ee0030fc} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5952 -childID 5 -isForBrowser -prefsHandle 5960 -prefMapHandle 5964 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19face80-7cf4-47f1-810b-59be25a407dc} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6136 -childID 6 -isForBrowser -prefsHandle 6148 -prefMapHandle 6152 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {947ddb04-f594-498f-ae03-577ad2a6f371} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" tab
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3852768388798091144,357844033713910031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3852768388798091144,357844033713910031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3852768388798091144,357844033713910031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3852768388798091144,357844033713910031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3852768388798091144,357844033713910031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3852768388798091144,357844033713910031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3852768388798091144,357844033713910031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 193.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| GB | 142.250.187.206:443 | www.youtube.com | tcp |
| GB | 142.250.187.206:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| GB | 216.58.213.14:443 | youtube-ui.l.google.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| GB | 142.250.187.206:443 | youtube-ui.l.google.com | udp |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.124.235.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 142.250.179.238:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | consent.youtube.com | tcp |
| N/A | 127.0.0.1:53375 | tcp | |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| N/A | 127.0.0.1:53382 | tcp | |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.youtube.com | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| GB | 142.250.187.238:443 | accounts.youtube.com | tcp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| GB | 142.250.187.238:443 | www3.l.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 216.58.212.206:443 | play.google.com | tcp |
| GB | 216.58.212.206:443 | play.google.com | tcp |
| GB | 216.58.212.206:443 | play.google.com | tcp |
| GB | 216.58.212.206:443 | play.google.com | tcp |
| GB | 216.58.212.206:443 | play.google.com | tcp |
| GB | 216.58.212.206:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 216.58.212.206:443 | play.google.com | tcp |
| GB | 216.58.212.206:443 | play.google.com | udp |
| GB | 216.58.212.206:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 206.212.58.216.in-addr.arpa | udp |
Files
memory/3976-0-0x0000000000E10000-0x00000000012B0000-memory.dmp
memory/3976-1-0x0000000077084000-0x0000000077086000-memory.dmp
memory/3976-2-0x0000000000E11000-0x0000000000E3F000-memory.dmp
memory/3976-3-0x0000000000E10000-0x00000000012B0000-memory.dmp
memory/3976-4-0x0000000000E10000-0x00000000012B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
| MD5 | 17501ef864154a07ad62b3b54e0fc9ce |
| SHA1 | 478c0b532235f76c9036627fdc9286a1e570af92 |
| SHA256 | 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778 |
| SHA512 | ed7bdd54e7046de070f348503989518b3517abc391423bd8d161ac305fec2eedd03977e212a5ffe13648fb615ace191b7edba3c3f386ad6552ff050f6c182cd8 |
memory/1460-18-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/3976-17-0x0000000000E10000-0x00000000012B0000-memory.dmp
memory/1460-19-0x00000000008B1000-0x00000000008DF000-memory.dmp
memory/1460-20-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-21-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-22-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-23-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-24-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1440-27-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1440-28-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1440-29-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1440-31-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-32-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-33-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-34-0x00000000008B0000-0x0000000000D50000-memory.dmp
C:\Users\Admin\AppData\Roaming\1000026000\adfb77ef54.exe
| MD5 | 4f567d2e5330efba274e7f94646b7fc1 |
| SHA1 | bd620e2e7a10d97c0e9583387e16e27b029149a7 |
| SHA256 | bccf2697513010f1b46c245e93a4f58fb38e00285fe5b56c6962dfce6bd0b573 |
| SHA512 | 058799d373304ab64455f1250738af9d71e44d72067a3eddc7adcb5df5e59d9a5f66d6341c00b3164c3a7bc1a06dc19476d5f83865712a17be7f2696f2994b42 |
memory/1460-49-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-50-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-51-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/2064-53-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/2064-54-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-55-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-56-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-57-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-58-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-59-0x00000000008B0000-0x0000000000D50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1
| MD5 | e05e8f072b373beafe27cc11d85f947c |
| SHA1 | 1d6daeb98893e8122b8b69287ebd9d43f3c6138e |
| SHA256 | 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f |
| SHA512 | b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0 |
memory/2744-82-0x0000000002500000-0x0000000002536000-memory.dmp
memory/2744-83-0x0000000005170000-0x0000000005798000-memory.dmp
memory/2744-84-0x0000000004F80000-0x0000000004FA2000-memory.dmp
memory/2744-85-0x0000000005020000-0x0000000005086000-memory.dmp
memory/2744-86-0x00000000057A0000-0x0000000005806000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4b0wqw0s.eby.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2744-96-0x0000000005810000-0x0000000005B64000-memory.dmp
memory/2744-97-0x0000000005E30000-0x0000000005E4E000-memory.dmp
memory/2744-98-0x0000000005E50000-0x0000000005E9C000-memory.dmp
memory/2744-100-0x0000000007120000-0x00000000071B6000-memory.dmp
memory/2744-101-0x00000000063B0000-0x00000000063CA000-memory.dmp
memory/2744-102-0x00000000063D0000-0x00000000063F2000-memory.dmp
memory/2744-103-0x0000000007770000-0x0000000007D14000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 2dc1a9f2f3f8c3cfe51bb29b078166c5 |
| SHA1 | eaf3c3dad3c8dc6f18dc3e055b415da78b704402 |
| SHA256 | dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa |
| SHA512 | 682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25 |
memory/1460-131-0x00000000008B0000-0x0000000000D50000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\05fab160-cca0-49bd-84e7-bbdb98404b03
| MD5 | a5f20f9ca1ba54abc6d716b6c9563dc5 |
| SHA1 | 9d7a938d5887e2e70a1e25ed0c7245b1c9e5bc5f |
| SHA256 | 9ed2e7b2ce7a169bcd1ba8a024e8a63624fbe7a3c7607bc40afe982255369f13 |
| SHA512 | c54f4dc6a33667611871fa4c78667ee4102592a155205c9853faed07bf9c5209873f798790a42ca17a31593d119fda0a6dfa4c879a69f949791a9e3920e1a58a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\27f3b218-216c-4745-98d5-95f050aaee06
| MD5 | 2ff016f5f8b7fb27ec40f161b4644f03 |
| SHA1 | abf4ac7f21b90d29b533a80bbecf12fbbfd0b47a |
| SHA256 | 664a2a986dc4283713ac6cd02ff45930a127188e32e26630e7a457ebbf963e91 |
| SHA512 | aa903cba83621e975d587adeb5bbe4fc543b61af1d356b10279aa43024c00b3868c736b4c747ae184c2fa18441876f9692bf49dc9a45436639a3d328c06445e5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\03264fe4-b11a-44fb-8539-8488124ada3c
| MD5 | 630bf0ef1158dea82bd4bef1d9aad6de |
| SHA1 | c5adac373fa65b37a04d6a60f85ed7aedb1677fe |
| SHA256 | c3d225c976ab96c7a856fb6772fb083f2f0a424a045570ee34319f8b86542777 |
| SHA512 | 6a1d14d54b6d555615604d017061c138b5a136c65b88dffcaf3e6fb8fe10307fa0f848ac7c2f57094a3faf6b70bd4ab18483b79343deb95b69a7e5dd3d67cf3e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | c2f9b3151ded64756d6f558b0a1379ce |
| SHA1 | 136a387f82a35d322ad3be02c500bafbbc57a439 |
| SHA256 | dc1fcbcc7e2176c1660d454eac2a1255bf0ab96b05ac2a16b32d2a97964192e0 |
| SHA512 | 2c8644fca19f116a21cde5cf9662c33c2b451542dbb477c95ba713c50a3949c01ac88ca6a873b913fbaa30c1cac95714b0b47d21bfb0a924418ba1a4cc82a866 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin
| MD5 | 4ce9986b68cbeb39ad7636d851d5c98b |
| SHA1 | 90cf12052d02c852bd7546f163c42e8f7c96e831 |
| SHA256 | cef1a51ce1d6bbdbbc3ce317212cd1647d33077e2937704faed82377f2bf3ad9 |
| SHA512 | 1658aa5789faf1498dab0691b56e05b655fc29a14f20c2a7b1b3ef6e9f57811f6c18dc2ba52da8c89ce66010dda96592571fa47bc206e1f01623a5f48180ca26 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e4f80e7950cbd3bb11257d2000cb885e |
| SHA1 | 10ac643904d539042d8f7aa4a312b13ec2106035 |
| SHA256 | 1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124 |
| SHA512 | 2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0 |
\??\pipe\LOCAL\crashpad_2680_WCLVHQMWRENJUHYY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 51e48273d6489f01b59de95e2d68faa8 |
| SHA1 | 2aa4773bf31176ba59f9dea0b78db70c6bdcf8fe |
| SHA256 | 5e169b93fd3ac4c9562eb70a2cc53ba7d7fa7997c70055b5c40ae73d2c8e9c7a |
| SHA512 | d4c0cbc2a9350d85951c04f4a6c9fb42bcb17da565bf4e0fdb198e6a51e86a8e95f9fe0f926dde9d499005ea52d8d59d788af057b122049720e146eed4ff9479 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js
| MD5 | f7e03fdd1f5584bdbecb7556dbe75c10 |
| SHA1 | 7923de230cc3c88d841d6e7ec3f8dc1accb9ca10 |
| SHA256 | ee5576ab6d060bb1604f37faf2c110ca4fc3259292b84be327e9fd84d36ae538 |
| SHA512 | 2d634069b2736e2d88a194eee04b2202bf2fa04496bbf4927a12db203a6ffa19b32d77f84617845b9f0dba7090a6c07f62a28245982a436ecd6dbf295b1a27ba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5f31d4698926a5bdf65c1fc1dfb805a6 |
| SHA1 | 0b8c6686c83ad55c336c074acb43be51e7587415 |
| SHA256 | 18d0ee5ca470b2696d64eb916a49caee88cbf1fbe8efa8dd808e430f0403b8d3 |
| SHA512 | a0f45c1221d4ea09a45b2aaf0d2b273686f7e4f47afd6074501a82eca3733c4dda4976a57c4fdd9ffe42b1b98ad565bdcd61864d230ad5ea2dc1adda8a1ea787 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 97e39a3bde05fdd6bd0194817342e49e |
| SHA1 | 75f63d9005f5ca6dd2ccbaed4003284b073b9497 |
| SHA256 | e8a7fb3c47a05f71f63d027f626df3bb597c7dc1bf96ec246ee5847b82b1f1d4 |
| SHA512 | 4e634a745322274a29ed14f7176de1aef6d913b37c9f1ebf71e673c219b9572717d196a3c75bd485d458d8005c4e8d74eb61afe4d4efeed4947fc7073d546055 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin
| MD5 | 898495991bbeaadeb663d30d9eb06c3b |
| SHA1 | 176ec70ccdd8d3b4dff4a106498e7024bde406f3 |
| SHA256 | 637226b17a422f027bc38824b2c71a27365c98e93d52c12ebe33b86a11f450ff |
| SHA512 | 400fe97fae95f703a991234893eea774708fc6e20c59f016aaa866937254e2b5ec21e67fb15575542630cfae9faec6b54b5dbbf88431d28a55285fe59d526029 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js
| MD5 | 643032f4cf00be830ef61cabb43b2517 |
| SHA1 | c4af91cd866b622ab7887d1e36732071a23342a9 |
| SHA256 | 515e94d66dfcd36a7efe3945111aebe2b4b7b83411afab37ae46d85833c93561 |
| SHA512 | 58ce4df35c61666e419b1108b727f758dcf78594e843ed5f6a1d35a01513ac7013247417aa0541c2d0edad774dd01cd8c8b5d65cc0d9791cff2861be545dd6bf |
memory/5436-570-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/5436-571-0x00000000008B0000-0x0000000000D50000-memory.dmp
memory/1460-613-0x00000000008B0000-0x0000000000D50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 96a43409ebbe577292fcf44460d7477f |
| SHA1 | 5d7bb8b35dc546cfa11db69d0a33085734b7bcf8 |
| SHA256 | c57fe32a464ca8a12191c255a16b0b94cd8747c7391ddb0a5318d3e9d96ed6f7 |
| SHA512 | 90e635973e442b4f5fd6e1daa70e5bf1bc32bfd1a2772d1698805b585e3a584c6155d2dd4df5965d00a43bcc9169d283ad403e1efcfa0415aa69176dfb9f7182 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 09e67e7984afb1a265fbf1c163f2ce38 |
| SHA1 | c632765d4352e0dbc3a6a6d75b2898cf3f36531c |
| SHA256 | c6a2d4f6409696c3e5b237665b71bfa83676fa6e05d29edf47772a0482e5aa7f |
| SHA512 | 7dd8c7b54a7bac56642804e40d5e732d56d6d75d8ee5a8495178d4b0117ff5293fe20a2fe7beed526fdd6860298d298d4b0800e0b0a6e1a75ee9199a1c44e18d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 90c76d97946e50ed9427abe4ea467625 |
| SHA1 | ecd419f4244f968224766bec66217b1d26245954 |
| SHA256 | d4f486d7b4b386538c50c0b4ea37734fda54e0deaeb5312928961bd631940d16 |
| SHA512 | 758a4664e972d1f049dbe8ae14b4de5e37bb6ef3fe1d81eb9e79b20d4f338bab2c70a62c3068fea120635d6716ff509711f3c1950fd7afcbdcb4843de7fcd3e7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-10 17:57
Reported
2024-09-10 18:00
Platform
win11-20240802-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\1000026000\41a0a09fb5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000030001\e6a571d3f1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\1000026000\41a0a09fb5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\1000026000\41a0a09fb5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000030001\e6a571d3f1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000030001\e6a571d3f1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000026000\41a0a09fb5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000030001\e6a571d3f1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\1000026000\41a0a09fb5.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000030001\e6a571d3f1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\e6a571d3f1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\e6a571d3f1.exe" | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000026000\41a0a09fb5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000030001\e6a571d3f1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\svoutse.job | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000030001\e6a571d3f1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\1000026000\41a0a09fb5.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe
"C:\Users\Admin\AppData\Local\Temp\7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778.exe"
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Roaming\1000026000\41a0a09fb5.exe
"C:\Users\Admin\AppData\Roaming\1000026000\41a0a09fb5.exe"
C:\Users\Admin\AppData\Local\Temp\1000030001\e6a571d3f1.exe
"C:\Users\Admin\AppData\Local\Temp\1000030001\e6a571d3f1.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74988bd1-86f1-4f7e-b091-551cce75c079} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e3b97f9-4fdf-4320-85ff-ae6e7f987367} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3212 -childID 1 -isForBrowser -prefsHandle 1808 -prefMapHandle 1764 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {784b057a-a10d-4f8c-8ede-2afeb169ccf5} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3544 -childID 2 -isForBrowser -prefsHandle 3532 -prefMapHandle 3536 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff8865c3-b6d4-4985-b1c7-c5eac736323f} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -childID 3 -isForBrowser -prefsHandle 4152 -prefMapHandle 4080 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a370847-5bf7-4ee4-b4e7-04c71d664eb6} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4768 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4884 -prefMapHandle 4856 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {327f13c7-20f8-4fc4-97c3-b8ac9dfbddfb} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5356 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ed03795-c5c1-4a95-8dcf-e174866f93b6} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 5 -isForBrowser -prefsHandle 5588 -prefMapHandle 5596 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {359c6c4f-3601-4238-9ab0-1c4caaa3f2d1} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 6 -isForBrowser -prefsHandle 5856 -prefMapHandle 5852 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67dd70fc-fe9e-4843-bfe5-2ce5daaed2c2} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" tab
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
Network
| Country | Destination | Domain | Proto |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
| US | 8.8.8.8:53 | 103.113.215.185.in-addr.arpa | udp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| N/A | 127.0.0.1:49914 | tcp | |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
| GB | 142.250.178.14:443 | youtube-ui.l.google.com | udp |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| GB | 142.250.179.238:443 | consent.youtube.com | tcp |
| GB | 142.250.179.238:443 | consent.youtube.com | udp |
| N/A | 127.0.0.1:49922 | tcp | |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.187.238:443 | accounts.youtube.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| GB | 142.250.187.238:443 | accounts.youtube.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 216.58.212.206:443 | play.google.com | tcp |
| GB | 216.58.212.206:443 | play.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| GB | 216.58.212.206:443 | play.google.com | udp |
Files
memory/3328-0-0x00000000009D0000-0x0000000000E70000-memory.dmp
memory/3328-1-0x00000000775D6000-0x00000000775D8000-memory.dmp
memory/3328-2-0x00000000009D1000-0x00000000009FF000-memory.dmp
memory/3328-3-0x00000000009D0000-0x0000000000E70000-memory.dmp
memory/3328-5-0x00000000009D0000-0x0000000000E70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
| MD5 | 17501ef864154a07ad62b3b54e0fc9ce |
| SHA1 | 478c0b532235f76c9036627fdc9286a1e570af92 |
| SHA256 | 7ec234d569603660080ea0d4a7e4e54e237e519089dddca4c678038cbadcc778 |
| SHA512 | ed7bdd54e7046de070f348503989518b3517abc391423bd8d161ac305fec2eedd03977e212a5ffe13648fb615ace191b7edba3c3f386ad6552ff050f6c182cd8 |
memory/3328-17-0x00000000009D0000-0x0000000000E70000-memory.dmp
memory/800-18-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-19-0x0000000000F91000-0x0000000000FBF000-memory.dmp
memory/800-20-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-21-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-22-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-23-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-24-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/4960-27-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/4960-28-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/4960-29-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/4960-31-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-32-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-33-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-34-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-35-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-36-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-37-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/4828-39-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-40-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-41-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-42-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-43-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/800-44-0x0000000000F90000-0x0000000001430000-memory.dmp
C:\Users\Admin\AppData\Roaming\1000026000\41a0a09fb5.exe
| MD5 | b568ff86da616dd1a46d9fbfa9415f72 |
| SHA1 | 1f0a299ee6349d54d18b5147ff957544501b66fd |
| SHA256 | 8e6e5197c7542613f4fcf6dedfdd6a774f1464876cdd2defcfc05d092d169180 |
| SHA512 | b1e3c0703d317973c6bfda8bcab2c5bc97de12062d0ac908bb9b3e651892244630df1f07076b43d3a4b0da8a0ff7ec10bbaafb1931377542c9c812494b067b29 |
memory/4556-60-0x0000000000840000-0x0000000000ED3000-memory.dmp
memory/236-77-0x0000000000190000-0x0000000000823000-memory.dmp
memory/800-75-0x0000000000F90000-0x0000000001430000-memory.dmp
memory/4556-78-0x0000000000840000-0x0000000000ED3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1
| MD5 | e05e8f072b373beafe27cc11d85f947c |
| SHA1 | 1d6daeb98893e8122b8b69287ebd9d43f3c6138e |
| SHA256 | 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f |
| SHA512 | b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0 |
memory/392-86-0x00000000047C0000-0x00000000047F6000-memory.dmp
memory/392-87-0x0000000004E70000-0x000000000549A000-memory.dmp
memory/392-88-0x0000000004DD0000-0x0000000004DF2000-memory.dmp
memory/392-89-0x00000000056D0000-0x0000000005736000-memory.dmp
memory/392-90-0x0000000005740000-0x00000000057A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctyspm1q.sa4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/392-99-0x00000000057B0000-0x0000000005B07000-memory.dmp
memory/392-100-0x0000000005C60000-0x0000000005C7E000-memory.dmp
memory/392-101-0x0000000005C90000-0x0000000005CDC000-memory.dmp
memory/392-103-0x0000000006C60000-0x0000000006CF6000-memory.dmp
memory/392-104-0x00000000061E0000-0x00000000061FA000-memory.dmp
memory/392-105-0x0000000006240000-0x0000000006262000-memory.dmp
memory/392-106-0x0000000007330000-0x00000000078D6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
| MD5 | 8c287d9f69f18f40120992f3733363a3 |
| SHA1 | 69123795940d4006cb948732cfa9ddd670045216 |
| SHA256 | 97e7fc47fb836288b8510b6f3a7de38be35e6dae0b46363e2042b9588b6585d3 |
| SHA512 | 6899573bb0ebf268526540558a42a4517bcb411aacf913ae75b4a32dd7dff98d8c8e15320b2a003a8db12952a0a6c0f0c7f650bca89a27f4894d6f67c607dbce |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 36cc00861295f2accc506a87f8f787f6 |
| SHA1 | a4c50ca56ef89e8ce751694fe76d6d4aa1560cb0 |
| SHA256 | 283352fc775475760bc5c30453d4c5c3a9f4fd007c684bfe40aabb0d8d711535 |
| SHA512 | b5e4e6fcb1937f61ae6bb5f0c05b5a66ad8aa42cee2039c53dea113a35c19f6fb32a2c4a33f0f21ba42fbc75ab2d18a3f7e4bf820c93fdf2e36c33a0f9c28766 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\7c2087f4-92bb-4637-b191-a5b75d24a30b
| MD5 | b9ba820d471273b90eca9f62bb6532c3 |
| SHA1 | 43dfec415a7f4948baaf4e25934b31daa374572a |
| SHA256 | 28619ec23a867ca80af49da1d5a6c7141c33528b432240b1eb44d435c28793f3 |
| SHA512 | a12b0b1803eb6fd4c3865c1921a8a21f23a132bc3d10a092ad6ffac3c5e5446428fad996426d64e44b96174c3e65cc4cdf82597e97f52458f83384a15b24ebb2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\c2a2f2a6-b513-4482-a81f-9f64435715f5
| MD5 | 4e60e6f3c72684f4927fa7c0ecd665c5 |
| SHA1 | f73cf85e3ab56cc4198d1a684bd9914aad75f006 |
| SHA256 | 200fa98f6eee9ffbd6685cb5b599a9b81b55407f2c09d982db914b40885cfa48 |
| SHA512 | b200eed78dad586cb484a1b5630826f8a762936d14f800a7ebb18e61a24d69b9d967ec43b02cf8bae5ae533d2d6e273b1cab935b1727b38116a1e04384562259 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\00f61db4-3449-4a12-9caa-5e5a4608f9df
| MD5 | ab426109eb6e25a50610060e854b01f1 |
| SHA1 | 06263351b77e549465ee9ed6c72d1fe1bc089452 |
| SHA256 | 51b14f7167af12d93d603b78a6315fb94a05e29f518cde16297edd9a7a8f445c |
| SHA512 | 42496f7f659018b9de3c80ac550eec1d6fbf4e63c76087fe08986b539b18139e2b338b020196e92a8074a386e008c8fe230d03f579e0abdcb24286aee127647f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 7853acc70b8ebec29e3a66457f36572f |
| SHA1 | 49c1ec7da65149f86e0f6088991d919594f828e9 |
| SHA256 | 4d76beee56bf356d037c0c9c678a6708fa4df70a23dad59aaa06dede888da144 |
| SHA512 | b41542fcc41eaa67902ade97a3ddcdfc8295aaf4e6ff57165413a5e33456adaa76579bd1a9745c134885df44783cf57187338e04a9ccce0d949155a705a64c94 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\activity-stream.discovery_stream.json
| MD5 | e83554a0b495239617641ddf02be43eb |
| SHA1 | e0cb93a65c94479b0f626adb4df5a82b3d9594ff |
| SHA256 | 9c296011b4f74ccfb194d31646bb09f939e6a3d5c346ec2f5da7ee9e07bc7e52 |
| SHA512 | a39ce64bb5fe5ce2d36147948336e68f555c1de5a31d679ed8690418847a4a45e6bba6180f38f8e691d01403d9051185471ad7519c232af158e6bbf2ec7a62f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
| MD5 | 0499d32eb2a7f6538af740461ca76977 |
| SHA1 | 055087012eea6baeddfb83338241251f7ffd806f |
| SHA256 | 60a3c184a73ee7ad34eada5cb1105573fb47fd46b99b054fe6d125f5fd1cd0a6 |
| SHA512 | 111eb7b2c32afb1b2e3c85d0d0596db1b78e3846d12cfa89e13038370767e870021e7518fe7ec81c8b8751e12625365870a9b073e342f968fb7d6386ab84d625 |
memory/236-423-0x0000000000190000-0x0000000000823000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
| MD5 | 5e9d85b0476dbd471a236661ddcf181f |
| SHA1 | c50c28ac70e4f49f42d1c66b42d5ea79690a44ee |
| SHA256 | 48c065e374e2b26762f08e7ba1be1d1f6b79aec054b74aa88c60edb8b6ffd6b8 |
| SHA512 | ada65ce3cdf18c433cf93a64aca57a5cd570d98be1037f2b8d58e16e03497bcb5dd99d0d8b1add9df4886be33f215d59b4049572f933c7ddf161fb533f20bd75 |
memory/1128-468-0x0000000000F90000-0x0000000001430000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 27d5188f3a85c6087c63502c18575d4c |
| SHA1 | 5a6f6b0cf0eb798bacdeee72012c6689c6b75e74 |
| SHA256 | f8c47452ddebebe78bec9c929bfa4b8bfb213c7813d7f3b1d7c12e97669910d2 |
| SHA512 | 0e4239d55f9f7a95411a6698a1e629e0bb3e760261d46a2457af73e9574a4e6e3a2fd51c71ec1bb3e46a5e2e7897bcebe24a46a3c922add216b33d02db231708 |
memory/800-504-0x0000000000F90000-0x0000000001430000-memory.dmp