Malware Analysis Report

2024-10-23 21:51

Sample ID 240910-xwbrka1fqc
Target 1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8
SHA256 1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8
Tags
amadey stealc c7817d rave credential_access discovery evasion execution persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8

Threat Level: Known bad

The file 1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave credential_access discovery evasion execution persistence spyware stealer trojan

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Unsecured Credentials: Credentials In Files

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Reads data files stored by FTP clients

Identifies Wine through registry keys

Checks BIOS information in registry

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Browser Information Discovery

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-10 19:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-10 19:11

Reported

2024-09-10 19:14

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\c500a4b227.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\c500a4b227.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\c500a4b227.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\c500a4b227.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c500a4b227.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\c500a4b227.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\c500a4b227.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\c500a4b227.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\c500a4b227.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3720 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3720 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3720 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1704 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe
PID 1704 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe
PID 1704 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe
PID 1704 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\c500a4b227.exe
PID 1704 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\c500a4b227.exe
PID 1704 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\c500a4b227.exe
PID 1704 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1704 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4320 wrote to memory of 4008 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 4008 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 4008 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 1980 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 1980 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 1980 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 4888 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4320 wrote to memory of 4888 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4888 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4888 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4888 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4888 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4888 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4888 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4888 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4888 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4888 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4888 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4888 wrote to memory of 1212 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4320 wrote to memory of 1084 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4320 wrote to memory of 1084 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 3332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 3332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 3332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 3332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 3332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 3332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 3332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 3332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 3332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 3332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1084 wrote to memory of 3332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1212 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe

"C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe

"C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\c500a4b227.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\c500a4b227.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e836d0e3-f2c4-423b-b9eb-892613e97861} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1599c7f-2ae0-437f-87bd-c890ce2225f1} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff98a7946f8,0x7ff98a794708,0x7ff98a794718

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff98a7946f8,0x7ff98a794708,0x7ff98a794718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3324 -childID 1 -isForBrowser -prefsHandle 3284 -prefMapHandle 2948 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f452c32e-03ba-4c6b-83ca-bac9657241bf} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3696 -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3688 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b8401eb-9688-4df1-a071-3784c97858af} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -childID 3 -isForBrowser -prefsHandle 3896 -prefMapHandle 3900 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67554da7-bed7-4c08-bd94-aeeae933f0ec} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4512 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4424 -prefMapHandle 4448 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8f422e1-2a08-4ab0-b18d-0d6f09c2d0df} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,1410402225721130382,15031895346781164487,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,1410402225721130382,15031895346781164487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5876 -childID 4 -isForBrowser -prefsHandle 5828 -prefMapHandle 5868 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a149d891-5d82-4a02-9083-6885e545cf00} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5960 -childID 5 -isForBrowser -prefsHandle 6036 -prefMapHandle 6032 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb0ed836-9c1b-4a8e-9b6f-e1deaaeeb52c} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5924 -childID 6 -isForBrowser -prefsHandle 5824 -prefMapHandle 5876 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {291b8081-6d9a-4768-afcc-be0f29ec3b33} 1212 "\\.\pipe\gecko-crash-server-pipe.1212" tab

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,5633160481942205194,15955519191488062916,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3084 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
GB 216.58.201.110:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 143.180.12.52.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
N/A 127.0.0.1:56750 tcp
N/A 127.0.0.1:56757 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
GB 142.250.179.238:443 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 udp

Files

memory/3720-0-0x0000000000E20000-0x00000000012C5000-memory.dmp

memory/3720-1-0x0000000077A94000-0x0000000077A96000-memory.dmp

memory/3720-2-0x0000000000E21000-0x0000000000E4F000-memory.dmp

memory/3720-3-0x0000000000E20000-0x00000000012C5000-memory.dmp

memory/3720-5-0x0000000000E20000-0x00000000012C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 bef90e67c56413d8e7a94cbd45f9b9a1
SHA1 dfc9e49ea097f1955e5830055a7c685d76c6d0d1
SHA256 1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8
SHA512 ae647a17eafe300f4a465eeda4de2e3b936f39cbbf44a01b1036e5c18c3b40a2cc89e55a4ee0fbc880bafacca1f8781d10b317f187303076038a237aa85bc07d

memory/1704-18-0x0000000000370000-0x0000000000815000-memory.dmp

memory/3720-17-0x0000000000E20000-0x00000000012C5000-memory.dmp

memory/1704-19-0x0000000000371000-0x000000000039F000-memory.dmp

memory/1704-20-0x0000000000370000-0x0000000000815000-memory.dmp

memory/1704-21-0x0000000000370000-0x0000000000815000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\a31c17c697.exe

MD5 b568ff86da616dd1a46d9fbfa9415f72
SHA1 1f0a299ee6349d54d18b5147ff957544501b66fd
SHA256 8e6e5197c7542613f4fcf6dedfdd6a774f1464876cdd2defcfc05d092d169180
SHA512 b1e3c0703d317973c6bfda8bcab2c5bc97de12062d0ac908bb9b3e651892244630df1f07076b43d3a4b0da8a0ff7ec10bbaafb1931377542c9c812494b067b29

memory/2948-37-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1704-38-0x0000000000370000-0x0000000000815000-memory.dmp

memory/2948-47-0x0000000000190000-0x0000000000823000-memory.dmp

memory/2948-48-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1704-56-0x0000000000370000-0x0000000000815000-memory.dmp

memory/1696-57-0x0000000000010000-0x00000000006A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/4320-65-0x0000000000C20000-0x0000000000C56000-memory.dmp

memory/4320-66-0x0000000005090000-0x00000000056B8000-memory.dmp

memory/4320-67-0x0000000004E80000-0x0000000004EA2000-memory.dmp

memory/4320-68-0x0000000005730000-0x0000000005796000-memory.dmp

memory/4320-69-0x00000000057A0000-0x0000000005806000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmc0otdi.aax.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4320-75-0x0000000005850000-0x0000000005BA4000-memory.dmp

memory/4320-80-0x0000000005E30000-0x0000000005E4E000-memory.dmp

memory/4320-81-0x0000000005E50000-0x0000000005E9C000-memory.dmp

memory/1704-83-0x0000000000370000-0x0000000000815000-memory.dmp

memory/4320-84-0x0000000007130000-0x00000000071C6000-memory.dmp

memory/4320-85-0x0000000006360000-0x000000000637A000-memory.dmp

memory/4320-86-0x00000000063F0000-0x0000000006412000-memory.dmp

memory/4320-87-0x0000000007780000-0x0000000007D24000-memory.dmp

memory/4348-99-0x0000000000370000-0x0000000000815000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\af4cde93-dfce-45b1-ace6-ea3d69d39096

MD5 ba04b61213f7f6163cc015a1a0b04f87
SHA1 7b6e0f01fded78f90af2d5183c962fea74e9a4b4
SHA256 ae4404afa0b77ff2aab90a1c60ba52ffd777a44858bcf8bbe0927c2b8368f5be
SHA512 a5115cc3073d62ada6928b8ee2b75aae710d776bfa18f013386dca29846feee4e8b070ab054d7ec464730846f9d8a17f6037dae1c0e7f274511dff7c1f6c55df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 719923124ee00fb57378e0ebcbe894f7
SHA1 cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256 aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512 a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\8a4d3074-19b0-419f-be48-9a10bf6e8563

MD5 ea34e31f98918413f81dee14d3ba7167
SHA1 26ef439ea3ebd2c983f0a1cb3031b94f5621ea6c
SHA256 76059bc348e3c44dbc450fbb1cfd49474ea94d993c9d36ba019c4dc42e8a4f0f
SHA512 8fe50205b191f580c67917e81a1bc6511e04e73f0c5839119f296ff95bfe79b95e818e9b1299c2a132d7f6eb3e87d8ba9b39432f8f34242827ad459571de4a37

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\9a5cb33b-51eb-4b27-8367-8d5b78b79472

MD5 d2187312a58c092552bd5d37f535a8ab
SHA1 3304c80d06a821043b24a100da5f9093f62fa5d7
SHA256 942cbaaaa64551dd925b4b4314cbd0f29bc91b68bdda90128fbe5ed4721a71cd
SHA512 57210414e7dcd8d0aefd6cca27e8fec3a599ef3a585ac44ac75c75d3c0856c63312d0950ca2d78bcfd4351f3984703ac37ff421dcbe8f2eeeb10159ef086c0fc

memory/4348-309-0x0000000000370000-0x0000000000815000-memory.dmp

memory/1704-315-0x0000000000370000-0x0000000000815000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 8f6bad0c244f40f892684f89457fd656
SHA1 43c79ff0dd89f37841665f42b29d22aedf1212db
SHA256 7b34a2a05c6c144d9dec6fa21ee9c0a7df93ed7fed27440f423716865a7672ed
SHA512 e15a0f5578f72e9d8235184f12f23697a842c8d0bee23b291448f7f1da3dcd575839d0b86fe7b29690a29131f8f25407ae2516bea476fffd57e3677b08546e38

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 fcaa9ac096dde475480205a47a6a4b6e
SHA1 4ee741c7c7d0dfcc6453110b848dd9af2a8feca8
SHA256 471cf0eb2832170263e4c44435a21327a4f75546be2964c8b77472007d75cd23
SHA512 bf155009e3e480c08a6d4b0337cfe4221345f5c23925bf9a516e87a3dbdc9177cce4e9448259483441fb6e8ecf37c6bc8ed982dee4c3daa527cb6de1896fb083

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 a7ebec34c18bd2506062d4444d62544d
SHA1 08437a9470e7d35d27ba2bf78677cf3bd4ebc83a
SHA256 060138c812efb8c53e4d4fae96da95da9204d133746f830bd9128d2855b5bfe7
SHA512 dcc8e00485ee91712fcfdb5f282369fe11ff35be370d28eea0c3e9a56cef7c6bd63b687826112a0b45319ef5d15769079115f8aa1af817f9960fb14093554f25

\??\pipe\LOCAL\crashpad_4680_NGPVVZBZFDUQUYGG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json.tmp

MD5 178ef4e9d160f91e5e55211852cbc79e
SHA1 61f97a67f01f2a602bed8e186cca9d9b37af3a5b
SHA256 a42759d0403f639f123ad18e69f5093bbc5acc9432d174eea8d8fb1485b7e9aa
SHA512 b02b11aa333c384ac81c8c7d1454acb6d5e2084f6ffe7c8bec3671e54a9a0df2390d7f426d41b0a8a80d64b5e386ac41867c8b59a61ce8191c0df0e766901e0b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d7114a6cd851f9bf56cf771c37d664a2
SHA1 769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256 d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA512 33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 e248211c34250d795d98cd4da6e258dc
SHA1 610a704cd51a8e8df4775136896942e957d40f5d
SHA256 850290f475197ce4dd21c3c0c348e39395978c215f9b5aa0adc766334369d746
SHA512 31bec45ab29423c73c04e46130926359ee86aa85d58c2186dd05163e79470cfa8198e84e6b96168ad61e5094c929869c77f3a621609d0eaeac0109418ff2fa9a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ddf4d6f7520504a0fa57cfec070ca54d
SHA1 a65a07f07ac2c3b5581ecfc9fe51374a51e2d63f
SHA256 f4819fa43faad0c739fa2d1ed9e7793f9be2b89abb7b7717f39b9c58c87eab63
SHA512 e5a30bef9d6d7ac52e7dd454e973b3dc805af72d1e6f53b4a896fa7453f09b53942801db70c6cbd9b248b94c55b489f5697f057963b81fb350a3c1f12db39682

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 c01ee5c26ba076e00337183c5a0c4a35
SHA1 3363b25c1ecd2da2ad9374e241d6c9ed9034999a
SHA256 eb8fe3f2cacc2d39d67ce6eecbdd540bce243fa17a5f991c5e7204dae01ce90c
SHA512 5789c128b7f1d1668ea30d53008e81284ca4395da436a2f3d1ba9fa95870afb788e449e3e75c70eba9deb642a31ffce125057373758310f000eb0bf8c71d4194

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 58339d901fd6618ae5770118dfeb0cb0
SHA1 24dd3663e5b56ea43529f1a853b4176ff5f1f31e
SHA256 b21654defc71a69c392dd65bd0eb5d9846333f960e6c64666936cbde78ba44c2
SHA512 cd2490e4f5b3d5fead0b0cbb4a1916a2ee77d8e88d4be470fec96d2053170cf3a58772a99a1c3b002e3b606199e4c9b21420ff301c95ed1fdda59a1c379123dc

memory/2948-466-0x0000000000190000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 75bb2134a60e5329683412668ae0c325
SHA1 349df318ab0668c954b4e8c95e4d186d5defa35a
SHA256 3a45e29b3112bdf4eadfc0f442122ad0a0645fd976a70f21f72b321cbd3824cd
SHA512 730a5dfb8b5eb825f3d4b703dfabf99dc0d7e5953d43320aac5551f6ba4ec00400c9bbb72131d4c8092151cef63bc9cfa43c8973d577886da647f10b061f4c58

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 820c44a3d1ad15b2bb4821ed68140a7a
SHA1 2e3af4cd8d3a910f75d3c268b5890fc186308ad3
SHA256 a1e3e660c49600e6f8f5b9a42cda2893ff7d2a571b8f8fa4e3b2034b24a24719
SHA512 41305a20a9a9cd89b7446b170bba235c59a67cbc751a30bf23c9a9c55ca941393cedd3f24b7a0174e2afc9f908cd4566c06620182434d067cfcff2e624919d23

memory/2948-555-0x0000000000190000-0x0000000000823000-memory.dmp

memory/2948-556-0x0000000000190000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 77d6748eaf98b947dbbc7e21844bbbcb
SHA1 8c448354ecc6d8ab43ba3599592f442d31ae6762
SHA256 fe48aea0dee9097570a1fc9746495c64215e1e2a62fc69beeaf3bbd054602b56
SHA512 385894f838003839d00a6f5dbfafb9fb703270208ebb59c13bc780b8f23769f0bcdf55db29230b1fe16fa28c818d1b2cd6351d1e9e8bfc3954be55ee1b1cdacb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/1696-607-0x0000000000010000-0x00000000006A3000-memory.dmp

memory/1704-642-0x0000000000370000-0x0000000000815000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8d14dc1fd52b013a509ee0f2c29cc9aa
SHA1 83354cdfe18ae852b0db0bd5ae46489e74d82335
SHA256 a5eae114ec551a7cdb5a1123ba905f91e67c81dd1feda37ec9bca95a04cbe002
SHA512 847fc3b649e26cea0c267fc26cc582db2e55486e1fb7976e0f3f57d5f5d689cddc1e9453c1507a8d6b1412c17552b7ea9fbd3e16e6f3c084f4962f4655f7d2ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 127961862c030c8bfd8e67f42eb43341
SHA1 35aba31abe3f121752c5cc9e84a28416d9b5e90d
SHA256 5e12689bf017f234a332af8b38ca32a22d64cb9c343c8fa43b466f58e839e567
SHA512 aa00e8ace73c92553f49fafbb4e3bede0c3516107696e3e4a1f81fbd81c36136dff2e162575f2b19e410c3bb620e6f7fffbd567393d24b31ab9c7b59ed698f88

memory/2948-670-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1696-671-0x0000000000010000-0x00000000006A3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 cc622472973af2e63369c747eadd455d
SHA1 66399edcf501f47251d7ba8dfe224e9976144cfe
SHA256 ca9bed0fb1ebdfed1aac534c76be98b8d2c941ce90f53d473d8f7a65a130a75c
SHA512 5a6fe82e5d2a5b1c87f537d09a177d098c86bd101b8d7f91874233fb3838c2ae8f344716055e5a58978b21a7c9fbed2fd113e6664d3cda64a585aa3592ef3d9c

memory/1704-678-0x0000000000370000-0x0000000000815000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 b12c79c8791caca354e3dc7c4a04e8e9
SHA1 767521e426c5dafc3b26b4181b6777c649e37bbe
SHA256 588c6dcc200f4dbc84d38c5947ce9c25ba349e31d88df7c784a3535ec97de2dc
SHA512 e54b7d6a368ffbbd04341233e4091319dc3d9d025db5677279fe7413c1980fd37172d004ada5d3c0722dd88aadc895025c7fc5d66d3c1322d794c9c776b45557

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 d192eb2cf9fd0b434c921b905c9d855c
SHA1 33a6fcd55ffd4e2668968e342cedb79d77acc8bf
SHA256 db77d005be2fff231d0035ea513fb772b0d59cc9570bd5946e9cc8fa49a99f43
SHA512 e4c88528160f22621db8c842fb02854ca20eb5b46cf1cee3a118c1495c599a740de28045d5e79adf616693c197942b64e8866b2e29319bdcebecddcd679784e6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 ccc4fcd7023070709080b165460fcd78
SHA1 84814c5306751264a7816f22f75a647da141b3a3
SHA256 30b35ae841b91c0e2864387fe04d19803d81ac2fb537958b47fb03b6b9753c09
SHA512 86620876b85f1946e68b6d5d9ab7f5d4c1514bc907ef0bf9fe7368a7a81252e980de2482fa014eae643bffc0babc9717741aa075c739689959e9a9dab32ec50b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 37970d953badbc0d020a2c81eb0e49c5
SHA1 d2a95dd779232f75402f0a20fc1e464701600295
SHA256 6611d056f24ab513dab2a376fe1016853a38faeeaaa13b18417f1954eb3e0952
SHA512 d6323206de101268f9515c811f319b1297a8104bbaad97e6314d8f1467e8a682bc62d301333887ce6bd9cf3c36bdde0bd90271f0a0e9b079f9a61707f34ef20f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 b084b59bdbcba30005dc4d03e5e8f9e5
SHA1 40b4d37750869375e44b6e28940bc665de287467
SHA256 e095ed7f141acc901ccab843614a52b89a17d4c9bf64e9a9643537890f34a7f5
SHA512 8ec575d0658b1939cbcb1b639251e03fd5e7d662a4e444ed20e42709f894412fa9e314cad2f530579ff53342e12d5dcc08019c782c12c56b88277194c6ff56eb

memory/2948-763-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1696-764-0x0000000000010000-0x00000000006A3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e965559288274ce88e282044390fb9ec
SHA1 393076e4ce422e39d96b42c0edb7443a40b74f0a
SHA256 a45c7178a26f78c32bde19a58c7fa01398ed8332ef2c72b9ae106b3489d0e78a
SHA512 0b77a01bf63c528433a7607a0da9bbd1f4f62193722713f2e5f07e0ddbf0588ed19b9e3a4372256f1fbeabba0d73e03ff59cde8ef37491b3bf0a735443d5c7dc

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/1704-815-0x0000000000370000-0x0000000000815000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 423e9aee383a5a3d0888b51bcdfe9965
SHA1 b2c9fb0d2d068b260cb5507af4519e9b367f1794
SHA256 f8418a77b3c0ae0a6a410ca4f1c1bf21766baf6d5104cc0b2419b0ef634393c7
SHA512 4bafce8775bc00070c85c7225bca6eadd6c6291cedb3297cc47e62a214b8c608dcdac9e579e3e5431afd92494f5e6091ff588c30bb6a0c936168611cd3f71adc

memory/2948-840-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1696-844-0x0000000000010000-0x00000000006A3000-memory.dmp

memory/1704-845-0x0000000000370000-0x0000000000815000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 0086a3051d8c644ecdb417dc494d053c
SHA1 4e2574ebdde052930b17868dc8ad64e42e7eb067
SHA256 2dc9b0e006383a028c614a7b2f20295fbbf5614313a7e3173f70478f6f1a1ab1
SHA512 955bd34da3722d10f54e0417414d37042276d4f66ef9e5e274a980e2266041da2da44b69823809c162053ff9d8c630a8674f349b685a5c46e150aa07dbbf4a06

memory/2948-883-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1696-908-0x0000000000010000-0x00000000006A3000-memory.dmp

memory/1704-981-0x0000000000370000-0x0000000000815000-memory.dmp

memory/2948-1047-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1696-1070-0x0000000000010000-0x00000000006A3000-memory.dmp

memory/5036-1185-0x0000000000370000-0x0000000000815000-memory.dmp

memory/5036-1202-0x0000000000370000-0x0000000000815000-memory.dmp

memory/1704-1243-0x0000000000370000-0x0000000000815000-memory.dmp

memory/2948-1605-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1696-1687-0x0000000000010000-0x00000000006A3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 f79cf73b133329dde6e50e9bdc194dbd
SHA1 0ffacec0d4fd311db2e2d232e4949935d0b9b59e
SHA256 55f550374d99128b9912fed08575f69d3812e99681eeeaa45a47a1ca810f0bb9
SHA512 2dde4e3f1426815c83e9dc0038b1d5f13f8f19507ad75f4b0a08cba7e7d856dbfceb7f47338438344dff23adfb81d31b3b793929d01f0587065c5a1d39af4047

memory/1704-1909-0x0000000000370000-0x0000000000815000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 6ae552e31a71daeacbd84fabc21d7747
SHA1 60ea5af3a42a06b34ac2f8f1993eedfacb8b30f2
SHA256 746e44476c54c124d42c22b34748e2863845ee0bc78dbeecaf4e8150b36e9a8a
SHA512 b46b8b5394a4e1c26869ce42ab45bd06949b2fd94bfb22bd8be38fe9c594cf253e479ec231030e17d65edb94d8078ad4ab9c96d1b1f9a1687de3e18a9bb8e814

memory/2948-2306-0x0000000000190000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 99a5da1431b24870fee0bcd1d612e1ef
SHA1 0b551b627973f8720dd83142789a9d35a867ae4e
SHA256 fe490dd0ed0b9aedab4feb7282ff60ae57ced83c5beab401b9dcd8612d17f09b
SHA512 e104ebba103f9995a3b35dcd1e87eafc5b58e60919ccd6f8da432724051dd571a4c8ff35f7503ed7446d0b8715f7383ad6906c4f3a9eb5001a5390a34d717232

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58de74.TMP

MD5 a3d2ea09d492616834581e51be97172c
SHA1 8c2fb9c2db5872890c70ca6ac6915c63629cb8d0
SHA256 be1905292cc5a5b5a50858694f9150d6471ca28d0d1970afe26b8d11fb78abcb
SHA512 82a64d619a985ef27d97791b5e1cd8348eb3a916b06cc3ab588a69de6f31fbfc4a224fc4a941545335d52c9ee32df5f0efb4b399e19a1ae2994aca70902fd82c

memory/1696-2372-0x0000000000010000-0x00000000006A3000-memory.dmp

memory/1704-2634-0x0000000000370000-0x0000000000815000-memory.dmp

memory/2948-2691-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1696-2692-0x0000000000010000-0x00000000006A3000-memory.dmp

memory/1704-2832-0x0000000000370000-0x0000000000815000-memory.dmp

memory/2948-3001-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1696-3002-0x0000000000010000-0x00000000006A3000-memory.dmp

memory/1704-3003-0x0000000000370000-0x0000000000815000-memory.dmp

memory/2948-3006-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1696-3007-0x0000000000010000-0x00000000006A3000-memory.dmp

memory/2948-3008-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1704-3024-0x0000000000370000-0x0000000000815000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 818e3287963267cd83ff97244e16dc30
SHA1 11b02204d2fb4654dbcf6a1528efdb72f247a5a5
SHA256 ef407a5e631944c69d582f8f678796836c3b7340d900423d2000a4277e14f309
SHA512 123277f1709607234fdc88a68fbb656780ba1533300e69e1081e5b742400038d22016f5d43f47e686c04f6efc4dd0832584130069b93da39e161dd37703c5c2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5 d34b6fa0f4baa7a0eb06abe653dec6b0
SHA1 d0c31fafdb41336192fc9da3c43fb65123828fc9
SHA256 cf15aa5576c19eb58f3229fa637a17b2adb2f399693c9a3203aa3279defeb031
SHA512 e44e5b775b73fa618346e603e0cb0f974a3b0789eff79e88249b9cae3eaed2650c3013265d45ce46e38b43a74ca8c492a8151dccfbeeb20d0dea9ad3e57bb598

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 0d2c87b7d2f56b8a5a89ac16107a5d6b
SHA1 c136a15c4d93343adab98870b7b0918385d3ce96
SHA256 402301a1c1d3f468c46ba86b8f2b3538c001540d20f4426de0101e2f7ea5e76b
SHA512 fce25453e8c4cc39838a1bb4541a5c207945d714aff847af93da2579cfcfe12341a9a71482a49fa793f58abb280a281620604c504e29005cd2a95276f573fcd7

memory/2948-3045-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1696-3049-0x0000000000010000-0x00000000006A3000-memory.dmp

memory/4288-3057-0x0000000000370000-0x0000000000815000-memory.dmp

memory/1704-3058-0x0000000000370000-0x0000000000815000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cookies.sqlite-wal

MD5 f988b54380574a139266305e376e9225
SHA1 881865a8901096653d4df3f7f012b95a8b66e530
SHA256 649367d42b4de608994ace324eefa9d21c6c0ee9861f602dddf73c831047bd55
SHA512 b62f04a532d9e6740f75b88a004afaf7eb445dec3b3498b04c10dfe6ffeceb601f6e09fd1fba9a550febcbf5a9a40e82cc3e97c5bd9318391e4ecf36311bb4a8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cookies.sqlite

MD5 0d28b555561dc81c1cf2acade0957478
SHA1 a40dde4262e4801d0ff688bc34628879f5973ca2
SHA256 4bce46718ea568e10008e767938f0880f9fc56830dc45b1d6f9a82dcc3599a7f
SHA512 f644065c5d1d51a4327c8fd323f5b11f9220306843b3c173886d7b202d9dddbdc89f4ad7c8498c640f7b4f2cfc798cd6e5e29cbb8537ea6d76bff6a2c45bfc5c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\places.sqlite

MD5 660f1fe7a1472656dec54b5c3e8e311c
SHA1 dbacc84f33f3988e05363625c4087a609eddd7e9
SHA256 72571fe5a0bc18a6dc68d686e087da89b25246b0c48b652fdce00b77004f8aef
SHA512 368bc4c9de4f19b2c677603fb5a13e4ea31f0b49ac1c11f2150874aecb8ecc8ecf6e5c73c66ae983dc85ae2044c6e2e84347bd22515f0e69a88c7c34fa3e7bca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\places.sqlite-wal

MD5 bd77240e16b68ef87f3c0e962cb08c1b
SHA1 9a56ba1822ac4505596d1a3b5cbb4958fc65b8be
SHA256 44cf4cd7125946ad8ac01dcf95da0dd4355b2b04f9541f91ad24a75a7b377d48
SHA512 06a253f707229572a74d2d461970d781b61af7e059a12741819810acc04e5bad3aa6b90f0e04548fa772b5fcdb94fffd516f4c07bf606bd8f0d40f02483f80dd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 f82418bf82c971c6f9a7c15558d3bc48
SHA1 b4241d63faa75f714f9e98fb8a138ce2238255fa
SHA256 34f55bbaa0811468f2cc0da55bfba717513e34f092840999cc0d193a4881ab3c
SHA512 782e83cafad82755fe55f06c212a0f29a1979e81f4733fb8349195344c3d308b199ffa0e8945812d20a80ad516af541162aa143de449ec845f6b3ac355b1fe1f

memory/2948-3096-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1696-3097-0x0000000000010000-0x00000000006A3000-memory.dmp

memory/2948-3098-0x0000000000190000-0x0000000000823000-memory.dmp

memory/1696-3099-0x0000000000010000-0x00000000006A3000-memory.dmp

memory/1704-3100-0x0000000000370000-0x0000000000815000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2bdb3d92a9ab9f4e6d2ed9ba742c8a9c
SHA1 b8bae80b4850f06d234854be8aa4dc95d2767f84
SHA256 917826987a1779b1df25fc38fa45ef0211b77f08df6834fc3d00473bbbeb8dbd
SHA512 e8b0b6622113649f3ae1001439c7b833b3626fbf75bbdc1e6f1b887356c173ef9c1a2fc0752f77c5000181c89f01ee0a0adbac833efe44a1bef053d06253a5fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 915d9741a06302e0a7185bee2e5ae37f
SHA1 7be3ba1b576d8f940871cf6cf4a7639458b91953
SHA256 6bdb3837e0c52457899658eda90306f60c00d71b61777a9dc97ef59159518e9d
SHA512 0e78622a6685eb82f91b2c9f09494881c68a9a0a7c064be6ae3911a7b08e9221663bd0f6f898137bdd953830e93b7e08d48150dc307923cf6f5e97cb4d57af68

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-10 19:11

Reported

2024-09-10 19:14

Platform

win11-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\49b245a537.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\3db70fd349.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\49b245a537.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\49b245a537.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\3db70fd349.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\3db70fd349.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\49b245a537.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\3db70fd349.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\3db70fd349.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\3db70fd349.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\49b245a537.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\3db70fd349.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\49b245a537.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\49b245a537.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\3db70fd349.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\3db70fd349.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2312 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2312 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3588 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\49b245a537.exe
PID 3588 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\49b245a537.exe
PID 3588 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\49b245a537.exe
PID 3588 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\3db70fd349.exe
PID 3588 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\3db70fd349.exe
PID 3588 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\3db70fd349.exe
PID 3588 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3588 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3588 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 4072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 4072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 4072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3696 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3696 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3696 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1896 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1692 wrote to memory of 1896 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1692 wrote to memory of 1936 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1692 wrote to memory of 1936 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1896 wrote to memory of 5048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1896 wrote to memory of 5048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1896 wrote to memory of 5048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1896 wrote to memory of 5048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1896 wrote to memory of 5048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1896 wrote to memory of 5048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1896 wrote to memory of 5048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1896 wrote to memory of 5048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1896 wrote to memory of 5048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1896 wrote to memory of 5048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1896 wrote to memory of 5048 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1936 wrote to memory of 4576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1936 wrote to memory of 4576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1936 wrote to memory of 4576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1936 wrote to memory of 4576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1936 wrote to memory of 4576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1936 wrote to memory of 4576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1936 wrote to memory of 4576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1936 wrote to memory of 4576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1936 wrote to memory of 4576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1936 wrote to memory of 4576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1936 wrote to memory of 4576 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4576 wrote to memory of 2676 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe

"C:\Users\Admin\AppData\Local\Temp\1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Roaming\1000026000\49b245a537.exe

"C:\Users\Admin\AppData\Roaming\1000026000\49b245a537.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\3db70fd349.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\3db70fd349.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1920 -parentBuildID 20240401114208 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {788fdbcb-6d7f-45e0-831a-836d0bbc5d89} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12083145-2161-420a-ab55-4b326ca44865} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2960 -childID 1 -isForBrowser -prefsHandle 3204 -prefMapHandle 3200 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dce25cd-17ed-48ed-879b-84aa0d912ec9} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 2 -isForBrowser -prefsHandle 2816 -prefMapHandle 2900 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd2f74c5-98d4-4c5e-814f-bbdfcb6a3d17} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3684 -childID 3 -isForBrowser -prefsHandle 892 -prefMapHandle 3524 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e1bc13b-9911-478d-9e87-7fdb8baafd7b} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4924 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4932 -prefMapHandle 5020 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4618f2bf-5085-451b-8ea5-93ca8da26014} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5000 -childID 4 -isForBrowser -prefsHandle 5836 -prefMapHandle 5832 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c6b2244-9fdc-4023-88b1-953a4b354703} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5972 -childID 5 -isForBrowser -prefsHandle 6052 -prefMapHandle 6048 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3efa2763-6c3d-4c3e-849f-0babd90e69f4} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6156 -childID 6 -isForBrowser -prefsHandle 6164 -prefMapHandle 6168 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3169ee0a-7584-4619-af7f-0a5b8506abe8} 4576 "\\.\pipe\gecko-crash-server-pipe.4576" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 216.58.212.238:443 www.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
N/A 127.0.0.1:49857 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
N/A 127.0.0.1:49864 tcp
GB 142.250.187.238:443 www3.l.google.com tcp
GB 142.250.187.238:443 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.206:443 play.google.com udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
GB 142.250.187.238:443 www3.l.google.com tcp
GB 142.250.187.238:443 www3.l.google.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/2312-0-0x0000000000C70000-0x0000000001115000-memory.dmp

memory/2312-1-0x0000000077606000-0x0000000077608000-memory.dmp

memory/2312-2-0x0000000000C71000-0x0000000000C9F000-memory.dmp

memory/2312-3-0x0000000000C70000-0x0000000001115000-memory.dmp

memory/2312-4-0x0000000000C70000-0x0000000001115000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 bef90e67c56413d8e7a94cbd45f9b9a1
SHA1 dfc9e49ea097f1955e5830055a7c685d76c6d0d1
SHA256 1c3a4f586345aa8bb07fdf7def83b40026080b1af777cdf82f00909282ea87b8
SHA512 ae647a17eafe300f4a465eeda4de2e3b936f39cbbf44a01b1036e5c18c3b40a2cc89e55a4ee0fbc880bafacca1f8781d10b317f187303076038a237aa85bc07d

memory/3588-15-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/2312-18-0x0000000000C70000-0x0000000001115000-memory.dmp

memory/3588-19-0x0000000000CD1000-0x0000000000CFF000-memory.dmp

memory/3588-20-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3588-21-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3588-22-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3588-23-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3588-25-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3096-26-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3588-27-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3096-29-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3096-28-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3096-30-0x0000000000CD0000-0x0000000001175000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\49b245a537.exe

MD5 b568ff86da616dd1a46d9fbfa9415f72
SHA1 1f0a299ee6349d54d18b5147ff957544501b66fd
SHA256 8e6e5197c7542613f4fcf6dedfdd6a774f1464876cdd2defcfc05d092d169180
SHA512 b1e3c0703d317973c6bfda8bcab2c5bc97de12062d0ac908bb9b3e651892244630df1f07076b43d3a4b0da8a0ff7ec10bbaafb1931377542c9c812494b067b29

memory/1756-47-0x00000000002B0000-0x0000000000943000-memory.dmp

memory/852-63-0x0000000000790000-0x0000000000E23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/1692-71-0x00000000030E0000-0x0000000003116000-memory.dmp

memory/1692-72-0x0000000005D20000-0x000000000634A000-memory.dmp

memory/1692-73-0x0000000005B70000-0x0000000005B92000-memory.dmp

memory/1692-74-0x0000000006350000-0x00000000063B6000-memory.dmp

memory/1692-75-0x00000000063C0000-0x0000000006426000-memory.dmp

memory/1756-77-0x00000000002B0000-0x0000000000943000-memory.dmp

memory/1692-83-0x0000000006430000-0x0000000006787000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5f1gkz0.way.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1692-87-0x0000000006900000-0x000000000691E000-memory.dmp

memory/1692-88-0x0000000006920000-0x000000000696C000-memory.dmp

memory/1692-90-0x0000000007B30000-0x0000000007BC6000-memory.dmp

memory/1692-91-0x0000000006E50000-0x0000000006E6A000-memory.dmp

memory/1692-92-0x0000000007A90000-0x0000000007AB2000-memory.dmp

memory/1692-93-0x00000000081B0000-0x0000000008756000-memory.dmp

memory/3588-101-0x0000000000CD0000-0x0000000001175000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

MD5 efe6be126ca36f4a6a3559c2d34b7028
SHA1 a4770321504f5366888166e92853916893f16fc1
SHA256 f7934123470d3566ab280b15d90ea9d17565807c8aebb270701bff32ecee8351
SHA512 5d37a676fa9d921c06a71efb1738a5e83aa74c122166b874dfde6549e84a557c8e19be516807dac279e20e04776d96daf4fc44252f17b08780521d9ae3c3a11b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\7ebcc57e-dfa7-4ca9-a7ce-4eacb5811652

MD5 a612afbeaca74dae2fe9a69b934c3ba2
SHA1 63dec12c5067f1659a4de99688fe5a7b785b2d91
SHA256 2c4b6b920ef2b5d63ea9ce4e29895200269fb780bee5e2aec194b756fe8a5233
SHA512 c3a8881c807c056d6fa0c40492e4619855873371278953cf4998434f4d07d71cdfc6b4c22d40ba109234afda73d9c0a3f61217cc06b530c918c734aaf556f2ef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\34761bea-cdb6-4e9a-a4b2-f909b6461c0e

MD5 27cf698b09e7469d64e3d9420881d760
SHA1 b93d1310928af3168a46aed8d32e660779599e09
SHA256 8444d9b4f4e25c3559fe11528e7137fecffbf72691921eb0f26ec020125b815f
SHA512 cc30a08daf52066fe97fbd29c876c265438358c26e97f074af28a65bde9db6b0a8dfbe589dca9faf1825c3816556a69cb3fd112ce82b1db6455eed3a13c7388a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\1aab1e06-7e9b-4326-9736-f2f996a5fee2

MD5 a85bd15f860e1e36633e546b7d10fdce
SHA1 eb8ced4937c97aaee51c16afb8f6b37692f6eb64
SHA256 cdb4f93cac0daf3ca10e5aa5f765410fe7a65a4802d68d698a84acd40e64250c
SHA512 14c4dcae814e36f1ca122e5c844d20a3f37998c24f238b8a00d1e5926522d69358a7508128d809c55d9a0e53d02248eee181f69fd746b6539070a66ae4987d05

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

MD5 dd5459cfcec9f81d5b7d49455c073b38
SHA1 7536434b741a75e018e244c6e8e78ae1e0a4e3bb
SHA256 a272854ccaad071172d0c7dcea077a6c4fed9e429019a1a116c60a5b9960c386
SHA512 87a3b5fb773fb742316d9c0127e1f3fb8ff053cea626b65b8c6694a4eeb09ac24f012d8eb0716ab1e641b688907221b6819eac00ea1136ba8cf4aa72768951d8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\activity-stream.discovery_stream.json

MD5 2f23e27773e0968bb633e6c8c0b0f895
SHA1 f9dfe8ea42089f25ccd3470ed3f1d77bb4f605db
SHA256 415cf015373550cc17cfafc4fce45148d5829a3b582f75c13d71cad8f63ad376
SHA512 2b08ba933216993fd1b0248e3f8a47bf2106cfc4016e7db5b96a538a4b5e372ac936b5a8071bcfb0081d76a392520220476ba8692f77529d34a29d0f91cdeb2a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

MD5 a86759aa1a9cb846dc4eef4c7b396f8f
SHA1 0e5c1af6ba1a802085c8a461501cb76748f5f5ef
SHA256 bbbd9da2ff3e66851376b02cdee689ca380bbfccd4b53ea0c3402260221bbebb
SHA512 6b4a6fa171012501d8614ecf5d1dc5b824ad0009e906e679ba74235167c3fd9c3c9a00cc59ae68ba257e504321bfdc2145ff390584c306e929bd76585a1856df

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

MD5 064c00df633e3aba3744413f3bc6cd15
SHA1 38f51296e2032e08bdc1e3a998b72984b384e018
SHA256 60e280c7a2b7d11da31b44192f51374d25a36c84a4729a60cf2b9bc5d8958031
SHA512 2b0c930c2e8c001da6e4ec7812baba097496b9529acfe0b275e994a8f1dab0529799f602dac002bf83e23ab2ba92f40d320ce568a291692417f4bf0b8f458a81

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs.js

MD5 2bd21c6eb5811960b0608f260417c6b4
SHA1 817c68c3f223017ce8041ac020557926c85e2efe
SHA256 930158857fedd823e1acfbab41ec97d0db741c127657992059dc4ff704194c35
SHA512 c03666d0d9f4381c8b014dc24003ec947aac96cfd5e1ad1ec32b054c461e0ad4dce84c4f0ee0b4e9b6de3a3438aaec3aebf0be6cb1f2686e360e1b93035bffeb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

MD5 4b2b436a972cb6d4965a587ec49756d9
SHA1 eb08c04ef23aeb6bf645210a78959728c4298aec
SHA256 631ec6bc898ab8ab5b892982d2535dea1e12256140c8048a5c1a372c3375c488
SHA512 c4a9a48c5ca13589f9966e37ac29522f48c2410a340d5ed6bb5a1de8a7721ab2ae1d101b831cf54f3c4f63e96c6b675e7daf48b175fbddef66bb3277983e91ef

memory/852-463-0x0000000000790000-0x0000000000E23000-memory.dmp

memory/3588-499-0x0000000000CD0000-0x0000000001175000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

MD5 6dead8d56f44a7d5766909d7caaf689d
SHA1 5275c8c92ab31c5fee7e9d148e4704589ef8c728
SHA256 3c855cb3d37c9689e8d7972f928b071fe19b6d1be827a99c5a9e71d22dd8dd53
SHA512 12c531cd320f7d39d18fb2e3a532527ede3df1aed496c51371e41e82dc42044ac83bec93f5b08392cfeaae5d3d3096a56a846fa0d9514a6b14961066726f9b02

memory/3588-521-0x0000000000CD0000-0x0000000001175000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

MD5 89ef187f9646f366349a5b751455fe59
SHA1 874129bd9ec1247118737c6ee24f0b6ebabad61a
SHA256 a00e2f11c954f6ccc7b0263f09ae7cc8b2059c2425c4b80e8f0f89004c267647
SHA512 0e53a22c663fcb2819a2032b0cd9f1ffc22ec2eed59158acfece19b8e21687166e8d7e9d7347738a11d0798a494a2f245b1d0b41e3aefd52ec37ee361cae6b3c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

MD5 6ec4c671921f7099d75b77d0814c7397
SHA1 d6f6e907697ba8b987c5d03d13490533388933a6
SHA256 803a5a5cd9f7710f037dc55fd8ff1203ff209215492d92b38975abd88145f24e
SHA512 7a764ff55b09fbc5af53dd3054f903c004fc606c9be2f7420e467bca08d6d6aba1b83872578d2a7ccc3c1b8afd5cdadeab4e3f03c77eaca49091cbb24a5b5721

memory/3588-548-0x0000000000CD0000-0x0000000001175000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

MD5 1c48715ee2e570487ced8207590cb8cd
SHA1 08810ae3608bbc7ae977f99f9ae634731459eabc
SHA256 d6e752b4ea593e3e40ed79b68d1e20b8d892f8c96a5b7246aa8c843beec3948d
SHA512 b2e04e242a3512d3d0e26755539e1447c74822fe1ecde6191d13aee3128faa057c94a2317c184f220253e48e5ba1b60399c19de57d7768923bc1fd2cc2c6c60e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

MD5 4d199b89055732ea0d3435eb2307ed64
SHA1 604564a4ae7e31efb544ec34c978b156b1797f5e
SHA256 63f70e0b6ff30b6a1b9f6fe0f01f80ff793f887f5f22c5d34817ec2a362d15db
SHA512 07a650995305cba6bcd726c81d782d61a179be419115354eef94aa4b883eb42527e86a4250222825e9a332fdb068391a593ede68827e4aa8da7f5e2ed936810e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

MD5 3a2b0173a4c1188be87595f3ca2acd45
SHA1 18d1f9ab5ef51ad3f1a17ab9eac654dc018b7f12
SHA256 7e9763448c66b4b70572ce3435c10be127ce492051c3df517609f47aac0c1af6
SHA512 47e1e07f4faa44863b8fee58f5b04c29f395d4bcd1449c99eccb04fff5b424f58a03d9513a640f9f872b0f3bd47785a67e76a9829f209396e05952485729da49

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

MD5 c55f4c921f8f9325e92326cdf9087956
SHA1 7cb1e3b1c5cf9aa5cbeab88139ac348167da9925
SHA256 537f202214fffc4a1cc4410c57ff5380bdb802baa317944eed7d03768944607d
SHA512 04516ed4d410d06063c9b0ddca94232c18ade3b7784b3b055cb2d8fee5a02670ea3c0b6a34945cebf2a3a26c0736092aa676b669de613a3128527ca4ac428d9b

memory/3588-626-0x0000000000CD0000-0x0000000001175000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

MD5 ddc2e039d510d522ecbbb679958173f5
SHA1 ca7bd703d6b7315621f6d6566ecf1194023adcc7
SHA256 2c00f4e712b8e226e8a1095146b42c19d53bde8720175f0d7a7ee04df1c86512
SHA512 7bfe31788bae7f425ff33f31731deeacb8849c54d60b5ed81369dbc922f588c2b2b811f041d238cd721fb236ef69cbcf065b210aadd066242e2825745eb03782

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 b059d95c1c125c6a886c6082bb45610b
SHA1 97ead074e7e83628f5071b34e67219bf8730f1f4
SHA256 57e8b17b2bf23fb4c3fc2eb7c21ca123602291984f4186e1f65c27530a64fb2e
SHA512 044fd70256884edbaa56092bd7c68c7c1f082eaebbf7d749a66966af85b3a07c3f01385b501668d335f9ef788a57b31ca5e94740221f0614bc7c3c7cd86b3cd8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 02aaa90cdd0bf01d95bead39f1f55e6c
SHA1 b07e5898799aed8f0968cc501fca501e083b7918
SHA256 a23421264c4a13a5fd97d4d41fb3a6e69d02f196ace39c6ae834e9d0eeaf95ec
SHA512 c0bebfff20707590643791ad4e584b9134c6a9b773f5224a3378ddf13c62bf7a82f438f96d627fcfcfca9219e15e5b640f5a7a15a3b14f38bf94e7a7ab5dfdd4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 05d0428dca5ce2721a054d73af2fc03e
SHA1 73714f833e9f601ea38930b93e873724bdee7ac6
SHA256 7b61f2e7ffc1b76a0d957c41ca45b1af47267fc579c38206169c603d9ec50cc1
SHA512 408dd35778102fac2d6aff5ecec7c43959e4668c32c03c53a7fc6cc608b50767869bd1aacec6436384f612a189f6c0c8b58c61b284a02f93f81a35af87b31a79

memory/3588-871-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/5756-877-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3588-1387-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3588-1859-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3588-2101-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3588-2749-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3588-2751-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3588-2755-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/5196-2756-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/5196-2757-0x0000000000CD0000-0x0000000001175000-memory.dmp

memory/3588-2758-0x0000000000CD0000-0x0000000001175000-memory.dmp