Malware Analysis Report

2024-10-23 21:52

Sample ID 240910-yrxznssdqm
Target de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32
SHA256 de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32
Tags
amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32

Threat Level: Known bad

The file de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-10 20:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-10 20:01

Reported

2024-09-10 20:04

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\22520f2363.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\e34e98ef5e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\e34e98ef5e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\e34e98ef5e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\22520f2363.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\22520f2363.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\22520f2363.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\e34e98ef5e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e34e98ef5e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\e34e98ef5e.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\22520f2363.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\e34e98ef5e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\22520f2363.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\22520f2363.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\e34e98ef5e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\e34e98ef5e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 64 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 64 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 64 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2872 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\22520f2363.exe
PID 2872 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\22520f2363.exe
PID 2872 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\22520f2363.exe
PID 2872 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\e34e98ef5e.exe
PID 2872 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\e34e98ef5e.exe
PID 2872 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\e34e98ef5e.exe
PID 2872 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 5044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 5044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 5044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 4524 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 4524 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 4524 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1476 wrote to memory of 2952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 1416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 1416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 1416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 1416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 1416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 1416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 1416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 1416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 1416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 1416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 1416 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1476 wrote to memory of 4808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1476 wrote to memory of 4808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 3424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 3424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 3424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 3424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 3424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 3424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 3424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 3424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 3424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 3424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4808 wrote to memory of 3424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1416 wrote to memory of 2056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe

"C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Roaming\1000026000\22520f2363.exe

"C:\Users\Admin\AppData\Roaming\1000026000\22520f2363.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\e34e98ef5e.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\e34e98ef5e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88f9368a-7c61-4cc3-90a6-f7504dc4d5de} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4a2146f8,0x7fff4a214708,0x7fff4a214718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff4a2146f8,0x7fff4a214708,0x7fff4a214718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2429f130-0d8e-49ea-b595-ee2e77d23db2} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 1624 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a0661f0-41c2-4dbc-a0b8-348f523d32c9} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3468 -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3544 -prefsLen 22631 -prefMapSize 244628 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18b0ec6f-30bc-417a-a23e-287409fe064c} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -childID 3 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {208e854d-05c2-4a49-a3fe-dd235ab496a1} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5052 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 5008 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9251b2ee-1f68-4b6d-9e73-5ef5407d9418} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2853325151221497178,13896580638630086844,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2853325151221497178,13896580638630086844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6950120023124610419,6498145593456389248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,6950120023124610419,6498145593456389248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2853325151221497178,13896580638630086844,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2853325151221497178,13896580638630086844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2853325151221497178,13896580638630086844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2853325151221497178,13896580638630086844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 4 -isForBrowser -prefsHandle 5792 -prefMapHandle 5788 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba69228b-a8c9-4ccd-b767-18da5d7c938d} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5888 -childID 5 -isForBrowser -prefsHandle 5896 -prefMapHandle 5900 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6a3e01d-9e09-402b-9b68-aea812fa6b03} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5960 -childID 6 -isForBrowser -prefsHandle 5968 -prefMapHandle 5908 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b361d0c-ce70-4163-95ad-b790274f9cc9} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2853325151221497178,13896580638630086844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2853325151221497178,13896580638630086844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2853325151221497178,13896580638630086844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2853325151221497178,13896580638630086844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2853325151221497178,13896580638630086844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2853325151221497178,13896580638630086844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2853325151221497178,13896580638630086844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.180.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 143.180.12.52.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 www.youtube.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:64227 tcp
GB 142.250.178.4:443 www.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.178.4:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.187.238:443 www3.l.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
N/A 127.0.0.1:64234 tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/64-0-0x00000000006D0000-0x0000000000B89000-memory.dmp

memory/64-1-0x00000000773E4000-0x00000000773E6000-memory.dmp

memory/64-2-0x00000000006D1000-0x00000000006FF000-memory.dmp

memory/64-3-0x00000000006D0000-0x0000000000B89000-memory.dmp

memory/64-4-0x00000000006D0000-0x0000000000B89000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 0178074bff7cac97ce00f5e4048c530e
SHA1 c500242fba88b0b8e4a4ff0fc0821fdd5f64d97a
SHA256 de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32
SHA512 5ba88657414f55b79bd93dcf248979fb3a726e7b2e0ec259eea495d2954a5d1f5c3b9bb9223325d17babaa15bfd8ebe247cd4a3f2a761e4538632486eb0b5bc9

memory/2872-17-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/64-18-0x00000000006D0000-0x0000000000B89000-memory.dmp

memory/2872-19-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/2872-20-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/2872-21-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/2872-22-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/1712-24-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/2872-25-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/1712-26-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/1712-29-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/1712-28-0x0000000000661000-0x000000000068F000-memory.dmp

memory/2872-30-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/2872-31-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/2872-32-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/2872-33-0x0000000000660000-0x0000000000B19000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\22520f2363.exe

MD5 ac12bb478b2ae055df15787d43a8dd61
SHA1 78b92499be7174aff470707436ee99eb5e1306f1
SHA256 7c4160768d4c205ed30a845b211a04a53f870d55ab8276f0c6de420a0345025c
SHA512 22b786889143f6886972ba6dad0d8617ef8f54536db514dfc5d9de8c74c22b7429fd0b4feea31fed1d928db46752d64615e94d56b856c1681dccc52f2f8e4aca

memory/3148-49-0x0000000000A20000-0x0000000001092000-memory.dmp

memory/2872-64-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/1688-66-0x0000000000710000-0x0000000000D82000-memory.dmp

memory/3148-67-0x0000000000A20000-0x0000000001092000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/1476-75-0x0000000002C60000-0x0000000002C96000-memory.dmp

memory/1476-76-0x0000000005940000-0x0000000005F68000-memory.dmp

memory/1476-77-0x00000000056F0000-0x0000000005712000-memory.dmp

memory/1476-79-0x0000000005810000-0x0000000005876000-memory.dmp

memory/1476-78-0x00000000057A0000-0x0000000005806000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzgcfhuu.ldb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1476-89-0x00000000061B0000-0x0000000006504000-memory.dmp

memory/1476-90-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/1476-91-0x0000000006650000-0x000000000669C000-memory.dmp

memory/1476-93-0x00000000076A0000-0x0000000007736000-memory.dmp

memory/1476-94-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

memory/1476-95-0x0000000006B90000-0x0000000006BB2000-memory.dmp

memory/1476-96-0x0000000007CF0000-0x0000000008294000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 27304926d60324abe74d7a4b571c35ea
SHA1 78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA256 7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512 f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\122b7ce5-58df-4bcb-9ecc-8968f7878cd6

MD5 c058dcdafccee22fe99a54c5b60550bb
SHA1 0cfcf52e71b961816c0d9fc3c4df6744c9089b0d
SHA256 79e86c55a98067569349dfc05cffc528a36bb87707532762324bfb415990e9b6
SHA512 f55764a3d7cec031dcccf972e31e04e3f849e1c59c50512b042beb112d213b48a978abdb4939432e744c479d7b38f837a6bd84d60422c7e000b0835d744935f2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\2bf86c50-67ed-41ef-8c74-e54e1250b240

MD5 2029f9e1b0ad7ad5a67294710aa48b1a
SHA1 a4a50b5b88bc1edd179c9a87cbdff3c72a630098
SHA256 88d7b8da31cc3f1f92f6318d3f937dbf9ee016e0c0b3c25560084904195cdd1d
SHA512 f8d56f991a3ee2e497a0e94c3f2bf8d8b571293fe02a4155b8040dbf7a93c659bda2581b3ea9243f802df4085bb9ef62ab278bf1b5fd52664cc683f306ba4f86

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\7726aadf-08f1-4620-bd6d-f8831a5c1f2b

MD5 4f881965b8ce70c444c7da908fa9902f
SHA1 bad834a4d1e28fe86df5981fac236f9a3d73742a
SHA256 e437a47cfc8787f10ecc23dbf8be0db57b6ff0dcc41b9a0b0e8897ea6b08ff4d
SHA512 2199db969380cb5f045a650c3a883b369eef7b4b46a9c4bbff0465445cf7b47ff1ca8a0b377065a423eb720c693870875c3108c287cdfc5970851bd10a90dae4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 d4e471e2717019960b24c87de3abda3f
SHA1 df7319840e077365cae1e6b8a9136696fb17f904
SHA256 37ea5170556b22362371f7e16ccdc30b55d24378456771ccc76853b6d789f2f1
SHA512 73a69ade8b7d2d5d90ba0ce5ea90a646e34491895070120ecd54bff081d549470003b74467c784a5b94d6e328987d7559ec97a13aab1bfa2155437fb57bfc112

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9e3fc58a8fb86c93d19e1500b873ef6f
SHA1 c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256 828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512 e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 9ee44b64bb2b9ec95e4c390fd4aaadf0
SHA1 24b4e3480469e19268b632d24212cdb632b194ad
SHA256 d6597c2b7370be47658d2b36a87987578c6e6cc23e6541e8489eb45bdcae1d9f
SHA512 c7132aaed454054460a4987b0f2f3772df4a5148d40638e84db1222df3e787a97cbca14833363bec86a94beb0036fe3f5b8330a1bbdc4fd43c9dc4cbea1a50c9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

MD5 d8d443dd6a37f10bd2ed41dc646760cf
SHA1 53a85d30c03a12b1941d9805a543aecbed02eebb
SHA256 765e2ee1bd5407e0424ec5989c61cce68dfb56bcdd643d0d60384013db8903d7
SHA512 ea34e5162f65f6503400dd2706186cbf053db5fafcc09c5e1ce17d2cf5bb00b4f2141d9a729c2f2bea76328459af96b458ef91a2f9c2bc5fe9b872e403a8f1f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 6069f514279b6e32e9b21d3030f58cfe
SHA1 dc36a0a4f190d257950c8616ab4bbd07617992cc
SHA256 c22ec181000f81f96fbf99924a3d1014f47d2bbab3275b6fcde6259b18513e98
SHA512 049702450fb0176f004dd6180def565045fbde96eed12106fdee99a79b71792ede2acba3fb8e18c0194ea528bb992259df52123800099d01ef2b1cf59c6860ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 53df7948a112e11018da573f793e0fdd
SHA1 bd7037ebdeadb25a4a1079051c0b051ae45c2fb0
SHA256 872b604fb90b815449325b25d195b55ad6eeec7e46fdf19b0f7dbee025d2f8bf
SHA512 ef0462541a12b95df35f4b329a3c73c5e550f00a59e69eeaf033f18eb0427b75483794336ab572de5ba3bf98a1ed08316ceb0c73ed8ae4489096f727c0cbc399

\??\pipe\LOCAL\crashpad_4044_WFXRGCBTWTJHVOJY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2dc8705d7cb9d7d5995c07f2a705f8c7
SHA1 0d88ca80efe3ace7f3af929d0e7bb1733d2a4976
SHA256 6979be7eeb2b15522578a7e12e9441e2f27dd3377680ab864488232eae1aadeb
SHA512 2f2f628a05546386d55c19cdf1c4f21a1bc09701513f57fcdbb338308f1cba7e005e72e5be32a1e1a6250a274ed9997f240594666a9f9c9aaea5e6c4311ab18e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 d8c0d92b57edd81894cda623578a9751
SHA1 c5826a1d842e24269de876dadf3bac76c247fe82
SHA256 494fdb6385907b9c89cfa41461ae881861348e54992ec71633bae7bf1ad469ee
SHA512 b7710b3a443826a279da6079b513a26f26c54b8fda0be6cfda93a49b2c44417dce59e3ac9d1b4ffe7d1a241af4920b020f76949601ee0ba86c5f5fa81c01c28f

memory/1688-510-0x0000000000710000-0x0000000000D82000-memory.dmp

memory/2872-620-0x0000000000660000-0x0000000000B19000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c0a2aca22cb66cf43b3a20d1ef38dba2
SHA1 ab0c7115c9fdc18ea23309c1bd5a6c893c7412dc
SHA256 b51346bdad2686200cb80676d92d18d5e8e479f5228b7a834c576edf271c0a25
SHA512 e38ce6b2f45cb3847c79e57ce51d8a13f010273957f0d7245b6aaa87cf8c60ed699f7a1f422fa15954e6e020178c4750d249cc728a01bd96fe2f74f2281f9ce7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ceec6efd3716a6f9c8571340b04f1db0
SHA1 6283df9c366aa74a4996ff65425f7021d20debb2
SHA256 0f41e97e1eddcf1eedcc7ce02f24f5ffab85b6d14e62872a82f2b23b9da84576
SHA512 b507127dbeeac971160db6ee5e29b9fa1c57b1be3269f5e5d84f807bb683ba7ef2706381b05b48cda9d5fdb677ab84d8badd7637e3778c2140977b1357807fea

memory/2872-719-0x0000000000660000-0x0000000000B19000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\sessionstore-backups\recovery.baklz4

MD5 3ffcae2e6717267f14dc91b738f9d225
SHA1 84b72bf1a647c2ad3a1d81758a76282936502bc5
SHA256 86b2bd28dde495af5b066c4143248d7c19e6d4b85ee5b97b4c592616f089dac9
SHA512 228fd84704c72e3345a8fdc8d10a15eabc5eb5d380b7e25307a607b3e6384a2f28e123fd129850c322a556391837cffcccc8d3c9a4497c4d4ca7ca3f7d8cf283

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 3b4edc09168ca828d3208d4a8af1c49a
SHA1 b587739ad624b64ff82be72e0edbe68d2c6dcd97
SHA256 fcf6030ea82ffc4e82cbc7956b8caba7f24ae4d2736556e8598a5f91bb003ed0
SHA512 d6770cdead4a70f05d254cf814c233fa8573ae0c0e3bfd2f3d2610435bac9913ab366fe0290d03df5824d4a58e16a61ae31478f04344585cbba32c78aa8c3a99

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 b8665258da38ee3465c3129d8f9a82ae
SHA1 d0e37e4ae8c4fd49aa57c331c235d205202e6c15
SHA256 d728072f1d2d56ae76cbc58df775b9d05eec0b7ca66580616b561202f407b67f
SHA512 990d629ed4a497f3558d52d88a21b83f883e68de115de5735504a09a0dfffe381d66a7610addf85d330d9892ec6b1f3266c3fdaf8fa35fce9f123c9e5c1fe7fc

memory/6936-762-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/6936-775-0x0000000000660000-0x0000000000B19000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 3336858d94f75b88e95ecd7fc1f32682
SHA1 4e52bb391dd1cb56646fc0ae0e29877fe2e7554f
SHA256 c4b46bdaef8e04c609091d79c165a642714803be0b1fb823d79400c06df87db8
SHA512 d804f91a8a9bfdc1b69e566486e505bed1a4df3857e16e3c8485db246f2b2dc317ca4a6fcfa436afd9947796c1cd6b24f292675064bc1db189d9f6cd342428e2

memory/2872-782-0x0000000000660000-0x0000000000B19000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 3144f246d5f457e242565f26b32661b5
SHA1 d2ecb579b23666524e83ca91c59cc12e0648d200
SHA256 854d0b4a5aa0b97221ca908b090bee437888e2f5d50d0123fa2792702cb597ec
SHA512 541ec5946203bc890c36f3b3d0105f7d4724394d0b0c52c73e4095f2590cb10b1e82d78612efaddfa51d382577a040d450ea4d4969faff19694331628006dcd0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 3475957ade0303f77ea2acd1379c5612
SHA1 4d041b5a88aa2d84c09af7a5fa42dccc5c3548f8
SHA256 dfbf57d9fa6998c1ebfdba54aa86864d9aa3991282ed5460ea6f9f6237b2cfa6
SHA512 5851c396ced10369d17a72f3fb098d666e263d4e93ad481c3244781488ad4f136e20d615c98fa8faedd65269680d5e885f79fe0627a2322c2fb1c016c9a1885d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\sessionstore-backups\recovery.baklz4

MD5 eedccffcb232ce53c655c8709cbd6b83
SHA1 796e65a32aa456af6f2ade9c72694c9949791ccd
SHA256 b52a7eea3b6ce6dfafb52d0c6b55601482e0c98ab5177c043dcb311be3a9a71d
SHA512 6875ab22747a3d450442b4e1b5b4273f6f9fc25b650d693c9a503359ec3bfb717c5706077b60995aaa6a0653b727370f431bc760feb93901462341c8edae1a94

memory/2872-871-0x0000000000660000-0x0000000000B19000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2872-912-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/2872-922-0x0000000000660000-0x0000000000B19000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 6cf7237287530dbe0cd0394defd228d5
SHA1 ab360e1e6d86f154d03f68ba25cc36d598db4bf4
SHA256 098ef4b97a743fe2ffab74ca20056ef02b5fb69480a4a1784c8d84ee24e65a22
SHA512 9a4edbbdd7978ffaff481ebedcda3acd79c3aa17da6180c568a885680d598b81b2b7ef886abc5fa18037f9b211571cfc8ffb592af52afd0ff6d8351fa37f7f4b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 22a497262015b4a0487ded284ba50069
SHA1 1c7a70cdb697cf3f7a8b84f945d73b6d795e4d3e
SHA256 e798e27ffe8be322a97e93cd658eee396ef12ab9771ad8cd9ec8099b9a09f75d
SHA512 a80aeef3a81ef3fab42adf4e0388ffc0eb695f9954424e0efe9cd595351c939d16ff6cbb52198b5a6113d499e2b5fc570e49e3bd2f47923d925c30587da5baa9

memory/2872-1223-0x0000000000660000-0x0000000000B19000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 187be537828600cf619d05343206073d
SHA1 c3f95c5092eb507ed292653d4949e1ad3f553446
SHA256 b8d99c4a14f1f87e671321109fd0948a1e678cb74c2e0c998d05d76ff506762f
SHA512 094ee0989f9f33116c41e25bc43834ab28b48421746030eae42afb47fe8030020a1ef8911857decf37829e80d6b340db3d7a15b557331911232271700349f3ae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 70007a5d917dddd5dbf0569f8412fe8f
SHA1 a59703d0f0fe190b411e0f2e0ccef6296165db20
SHA256 09c8f8ed2a9ac93c3dfbbf273cc1851d22e3617e90dd43093101c3a887c3e036
SHA512 9e0f82e8b5f2e6d8ed89c2477bdb5e8dad16d49492980c01a1dcac6dd08c66ec65ed37b0f77442f5c1fc30b1a371b43f8e35b84e896371124485c2a67cd6d817

memory/2872-1817-0x0000000000660000-0x0000000000B19000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 51cdd9857ce88b190fac89c6d089ca61
SHA1 9262885b8e7e03ab96a0a00c120df114576be97d
SHA256 f3942989c6881142abb380539734ef0940190b750cb3ede4a6763f6ca41cab14
SHA512 8e7b13d61000dfbc9aca76d7139f10bfe0c30db2fd9a36450176e0d3eb1886db02b5b3110a9c041bc196ee72a982335ef4b5563e76829c0127cfef5e3cb36363

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59a908.TMP

MD5 0158e2dccb7f7c9852f1464610083509
SHA1 896bbc7004ed561ea2811870368ca0729830ef81
SHA256 9f207c2d10f7a16d0caf16063b1fd5a3333deded0777ad01f22a762dc6c64c56
SHA512 5e96a8d93394e96a60bdfab64b48f169e52fa28f982b74bfa814828a42641b0744a2a2862bb4040b3ddb3950b7ec97903bf606cf5b261e701597adae9253f83b

memory/7164-2031-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/2872-2032-0x0000000000660000-0x0000000000B19000-memory.dmp

memory/2872-2561-0x0000000000660000-0x0000000000B19000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-10 20:01

Reported

2024-09-10 20:04

Platform

win11-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\edf877e35e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\59a1596abb.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\edf877e35e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\59a1596abb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\59a1596abb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\edf877e35e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\59a1596abb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\edf877e35e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\edf877e35e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\edf877e35e.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\59a1596abb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\edf877e35e.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\59a1596abb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\59a1596abb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\edf877e35e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\edf877e35e.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4616 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4616 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4616 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1312 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\59a1596abb.exe
PID 1312 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\59a1596abb.exe
PID 1312 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\59a1596abb.exe
PID 1312 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\edf877e35e.exe
PID 1312 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\edf877e35e.exe
PID 1312 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\edf877e35e.exe
PID 1312 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5108 wrote to memory of 3096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 3096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 3096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 1500 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 1500 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 1500 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5108 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2796 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5108 wrote to memory of 580 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5108 wrote to memory of 580 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 580 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 580 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 580 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 580 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 580 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 580 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 580 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 580 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 580 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 580 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 580 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 924 wrote to memory of 2228 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe

"C:\Users\Admin\AppData\Local\Temp\de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Roaming\1000026000\59a1596abb.exe

"C:\Users\Admin\AppData\Roaming\1000026000\59a1596abb.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\edf877e35e.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\edf877e35e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6e2142c-a2db-4efd-a4a5-f5c5e476809a} 924 "\\.\pipe\gecko-crash-server-pipe.924" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37aa6149-649f-40e2-a787-3296c5744d68} 924 "\\.\pipe\gecko-crash-server-pipe.924" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3224 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3048 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56acacd9-6da6-4e4d-9aa8-fab24f363a90} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3568 -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3544 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a9bc336-1293-4640-807a-6d834c61b139} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -childID 3 -isForBrowser -prefsHandle 4372 -prefMapHandle 4368 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d25631e-ad96-4e9d-a2e4-0868a965036a} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5176 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 4980 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f63f8524-9e7e-43e9-853a-da90d60441b8} 924 "\\.\pipe\gecko-crash-server-pipe.924" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 4 -isForBrowser -prefsHandle 5540 -prefMapHandle 5640 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72cb63db-a76e-45ff-8bac-c03484e57d63} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 5 -isForBrowser -prefsHandle 5912 -prefMapHandle 5916 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10f47c36-21f6-4b61-bdcc-316d538f6f30} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 6 -isForBrowser -prefsHandle 6076 -prefMapHandle 6080 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {680ee8b7-c68f-407d-8369-37875a06f2db} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 accounts.google.com udp
GB 142.250.200.14:443 youtube-ui.l.google.com tcp
GB 142.250.200.14:443 youtube-ui.l.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 142.250.200.14:443 youtube-ui.l.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.187.238:443 www3.l.google.com tcp
GB 142.250.187.238:443 www3.l.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
N/A 127.0.0.1:49887 tcp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
N/A 127.0.0.1:49896 tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
GB 142.250.187.238:443 www3.l.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 142.250.187.238:443 www3.l.google.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.187.238:443 www3.l.google.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp

Files

memory/4616-0-0x0000000000A40000-0x0000000000EF9000-memory.dmp

memory/4616-1-0x0000000077E46000-0x0000000077E48000-memory.dmp

memory/4616-2-0x0000000000A41000-0x0000000000A6F000-memory.dmp

memory/4616-3-0x0000000000A40000-0x0000000000EF9000-memory.dmp

memory/4616-5-0x0000000000A40000-0x0000000000EF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 0178074bff7cac97ce00f5e4048c530e
SHA1 c500242fba88b0b8e4a4ff0fc0821fdd5f64d97a
SHA256 de43f53aa96dac7458f3131343e076429ed33b4eb29c65af41e6a0275b50ea32
SHA512 5ba88657414f55b79bd93dcf248979fb3a726e7b2e0ec259eea495d2954a5d1f5c3b9bb9223325d17babaa15bfd8ebe247cd4a3f2a761e4538632486eb0b5bc9

memory/1312-17-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/4616-16-0x0000000000A40000-0x0000000000EF9000-memory.dmp

memory/1312-19-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/1312-20-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/1312-21-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/4768-23-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/4768-24-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/4768-25-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/4768-28-0x00000000006B1000-0x00000000006DF000-memory.dmp

memory/4768-27-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/1312-29-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/1312-30-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/1312-31-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/1312-32-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/1312-33-0x00000000006B0000-0x0000000000B69000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\59a1596abb.exe

MD5 ac12bb478b2ae055df15787d43a8dd61
SHA1 78b92499be7174aff470707436ee99eb5e1306f1
SHA256 7c4160768d4c205ed30a845b211a04a53f870d55ab8276f0c6de420a0345025c
SHA512 22b786889143f6886972ba6dad0d8617ef8f54536db514dfc5d9de8c74c22b7429fd0b4feea31fed1d928db46752d64615e94d56b856c1681dccc52f2f8e4aca

memory/1728-49-0x0000000000390000-0x0000000000A02000-memory.dmp

memory/2564-65-0x0000000000A10000-0x0000000001082000-memory.dmp

memory/1728-67-0x0000000000390000-0x0000000000A02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/5108-75-0x0000000002480000-0x00000000024B6000-memory.dmp

memory/2564-77-0x0000000000A10000-0x0000000001082000-memory.dmp

memory/5108-78-0x0000000005090000-0x00000000056BA000-memory.dmp

memory/5108-79-0x0000000004DF0000-0x0000000004E12000-memory.dmp

memory/5108-81-0x0000000005730000-0x0000000005796000-memory.dmp

memory/5108-80-0x00000000056C0000-0x0000000005726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lfhkruef.msc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5108-90-0x0000000005850000-0x0000000005BA7000-memory.dmp

memory/5108-91-0x0000000005C70000-0x0000000005C8E000-memory.dmp

memory/5108-92-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

memory/5108-94-0x0000000006F70000-0x0000000007006000-memory.dmp

memory/5108-95-0x00000000061D0000-0x00000000061EA000-memory.dmp

memory/5108-96-0x0000000006250000-0x0000000006272000-memory.dmp

memory/5108-97-0x00000000075C0000-0x0000000007B66000-memory.dmp

memory/1312-98-0x00000000006B0000-0x0000000000B69000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 a45a64c55d68ade0cee20d2af1975176
SHA1 aa1f062c9da6132f4ae64242b45d40f31ae77e3d
SHA256 f6e2610bc59b9b8423d9bc6180e18001b217dbda5d60a2fb5c88d222f4c87a84
SHA512 de57f80029a3cec8a48a736214cdedbcc44badb9414e714cb749defe563526be73736f6b7ddabc90e883f58daea68937e894839bc1c86153c05843a7aa96c78f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\e04fcd76-3a20-4f32-ad51-e92b85896062

MD5 a1a05f90dc8a1193d085b1e105e99133
SHA1 d7a0410842e9662fe113990c9001669d049515d5
SHA256 fc8103f97dce8a9fdf49385c3c381a1e971c4b6fe4cc7270652a5987c1d15b1d
SHA512 54d07e3a8e2717500409304fa33f197057e8e58f6f641bd054031d1f4eb06183d7270e062b3af940eeac86a6563ba319ad076956804d0ecb1c4f37a21f3061e5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\6ef78e87-0830-414f-a0e7-5ed623d3606c

MD5 642f78e8b200bdeb0439577f462feb57
SHA1 2f1c3e39dd93372fadedb09500ca554747f1a7ac
SHA256 035a759cbebb04657e3d3129653abcc266cc1dbab8b5af30c9647f42cb778ad7
SHA512 97c10499e961fe2ad6d81e3149c6dd016fd76cdfd7505ae0a27fd58f8645a38bb0799d56f1af9b95d16ad7328a8711cff34cce9c7b132dfc1b43203ced9c82cc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 6f7c048095405e67ad562ea6321cf706
SHA1 9f4c18e8457742f21eadd8ab62ad12f6bb374bb9
SHA256 a56ca3097fbc361778d63a46c921caf082b65b3a61fcb598add9e23c3ffdaa86
SHA512 b3a99627787dd006c301ac9dde25d5629b8345c579124f0d0b542e8baa0d67fff389a763f8c4bde5caf1487bf256ca9b0af5e1acbe35ea208f5bf7f87037d854

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\30036c7e-eaa7-49d9-a019-0d7a3defec49

MD5 9c79cc4c309fe8529e8c425eb53b453f
SHA1 568b7c09566407a6526c28b06675ba8c3fb80960
SHA256 381b04d540bbfb8e030c4f69b3cd8a4fb338883970f2c1919fc852bb2cd8fc7d
SHA512 8b5348ed1559d402ffec62926784c2dea7951c143834d5f8a1f64f18792643c52e186074e59d5c0809ac67bc162ed86e34540368d995eef0db7e8d8364c4de05

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 69246be1385244714a57e170df27cbbd
SHA1 6941a98437088f1bf9609c9823c9eb9deb0626fd
SHA256 933c48dba49e5a3c64dc7ae89e9e1c412fdc26f824c866b806c854ab2be5f7c1
SHA512 b626282c6182039f4b86e914449068f05442dc8fb8b927623c717e9e71fdf5924766e8babf5a1b44861919b6c83b98ae1765c617ab8195643e360729528e49e5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 f62d5f10fa6c604324723654cc13ef39
SHA1 5cd1e9f0364099ee32d783a731a47912c9716577
SHA256 643c64596269c9d4d3ab1eca336abe1b5c974ae563942892b74ae7563c0b4815
SHA512 1900ec3eff09a4ef085e56df1703734446240318fe30cdefe4c18edcd40ab4598b9943cb24915612c92f3c6fcd3a1d90e4334ec5aec4ac0a8242be254e6b29f2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 573f96a321b649a5fcc2ca362566000a
SHA1 23ec9722ee37f89b496fb1989117dd0836347744
SHA256 a04a6c9c3e82ad4185f5d0ee586af3bf73727ad11e05a3b346bdbfd8d998aa3e
SHA512 41ee76d5416c507adcef90a01d6f7a569ff36650ab712b4f55ed88bb07e4f9db006c6592cb7e8521f58436e08f52565320ecf461aaca7ab3c416ef2939a174da

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json

MD5 1f5b8a083fb419a2030999d6a6f1fc25
SHA1 2292c6acb96945a1abe832725faef33c03c6a8af
SHA256 15351c0b8f32a0c5c734e8abb3ca288889e2962c40ae087ad2f697ac4ff2c0df
SHA512 54c08f9583d48bb2af413fb1640c23262e4ae193734ef797ec65cf68fe932a0a53a1395b43a28ee251275ad0ba2f9bf125d9a75f5340d5022ded87a09d4bbe04

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 3a06f5191880e435239bb81600531304
SHA1 046f87beab3f70d8300cbd57ffbe585878dcb8c4
SHA256 8b078344f1d8d3f96003d090e1b994195027e7259df926b76d628a86caaa65f2
SHA512 15ee6bff7031a6346215877f0de826f1fe7f8e721940cad294a1ed2cd6d9335b4d8d9295bced7129a94b8f641cb6bb848c09a5a977a63b404797afd23338a163

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 4cb0f54c5bd19441662e12e36ea50034
SHA1 146b1a5b7a3fdecf729186949b763587d7fbb7cc
SHA256 e0ab57a93bb48ab33a35aa7e6d58f250e52a80ac271673e2741d33524ef330ac
SHA512 a087b9dc2c7cfe39dd945cb7fc064aed300be0887cf5132780fd8f84a0fdfb7af148161e7ac99912f51e5f81d898d16f13dc563ddc047ba116845d56d1dfd0ec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 c02b758ba7d2fc62b996a0b4ea54bd71
SHA1 91fe0a7046ccec6c1152a42763d699a329e42950
SHA256 0e5737b192b0e429672e4252bc5615c87c6a9a613741664ec85c408f206994d7
SHA512 a79faca2f67636740e731cab40942d4e5993ae631bc98e53966671542dc90bc06e3b8c5664a963f6e635b8c80d6cb5066e0a5c98cc2e14bf668096cb208cc46b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 d683a6b609f7da883e010b8593676d90
SHA1 294fcecc62ce4937b994518e9ce559e3e00c28da
SHA256 fd2e0994d7ec0941a60464d32e906f5163c75e6252cb81fa5cf966f5fe248343
SHA512 367909c1290b09cd47fe7a870e094bcb5ce9119c4e539785ab3a6592864b84e5cd490be7b762e3eadf34cb54dc48a7317d04d6274f50639a1b0822287f13d491

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 6f9cb078b97fb6438392065e2fe8220c
SHA1 24e48a6b4c86c65fbe8d0bff61560f85a7db40f5
SHA256 e21f92e8d5c3743dd419f824facf426adb0b029342a7afbb46557c065667b357
SHA512 2586a9e8fbaff5f4eece765cf6a590abc50f04f98cd5239c67fc7a66b2e2705cc7347c3244b833e5f3da550c9ebb9954e24cde498a7367cc23160c8dc39dfb82

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 9911903de9dd4ce55d46f7d30628ffa2
SHA1 fa5a9d26c81964be050e8169e61297fbc76b2e01
SHA256 3ad101b0d599730d3cf00c578248b0ccd4c147e6ebfa88e45a0d949c0897408f
SHA512 364a5304d442d2dc19c65ddafe529d439e5d7084a9eb637b28dc1f3833464e9437434d6ae8463bb1abbdf7f1e5f1f64563755460a1facaad830a3458f08b3455

memory/1312-505-0x00000000006B0000-0x0000000000B69000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

MD5 3c74582c15ab95b91f209390f9bf3db0
SHA1 bdaf4bca9fe0e6bf05ece450a0165e5a222e9c67
SHA256 416527441c5bbd8cc6846647091256f08a3d6f5c1da215c3bd85cdf2d58df2fd
SHA512 9970e9cbd3e11a578c36a71de9f946fc737c01161b54057d3080bc0a75c131217dc4ac9264bd3cae6b55d2aa238b4f586d379c14c84fb1c0b06ec20d2caed1f2

memory/1312-523-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/1312-524-0x00000000006B0000-0x0000000000B69000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 166eedd151ce8dd2a862e27794c09e1a
SHA1 db70d011deb33baa2daa8f32c1ed4e2801ec999a
SHA256 4a60e96a38a36fca78cea47bb4ba27b6fdd28adacda8f69c0483754854d9aa04
SHA512 9fd8da3a6e55a95fdbeb50165bb06d6f35d6734907aaeaf93d9536376d6dbe2a69e505544b4989838deae493f67546e22b2923ebd5832e9fd07b2afba222f830

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 81923ec5546f117ab8f6061e0de206ec
SHA1 9b4e5ca0807898edb51aef73e7fcf005c3d5f5aa
SHA256 1bbaa00f7acd4d98029311958adb1d8f923b531f227947c37e40db26049e3c87
SHA512 9b2453dcde6f1552b21894103df99f792d576801a9b07ad87bccefd012ef2587375127e5c9943523679f5a80b22f151b3bc3cdf47151e0ca547fdb7462f0d0a9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

MD5 4e8cc7380598322b5bd53b712719e811
SHA1 0f6cb3c4faf60e8f40d985719f814c9d5bf5eb9b
SHA256 b3867372df06eeebf3ad7ad620879e7953f401f4b896bc21b6ab3327932fcb75
SHA512 ca175d539df2a24160d6d82bd54a95b00c9ef0a868d3314ade9d7e53b4fb25c4c9a54c6c61b2c533f246a4eecf22a1a4a49873ff0eb46cf32bc43b6e5b1a2476

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 4a1c2b684e30d77d8d3c22819ce0ec17
SHA1 b1481d20326906ec95e198788c1ac5500f47e35b
SHA256 adaced54575484016a3de8e215352b22d4f94234d3fabdf82b16433ca10a4e37
SHA512 df3d37e582bd15a01beea539ec330c8238309e56bdde5eaf065578e49a3a1523cf5e45ad08b8d1383d17950fde38023d2018a99e57dd331858e21710416f3b99

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 4837bbea0f176e1ea19214ba990f9968
SHA1 546e62c43d25edd539f4eb6c05bd86fa42365a31
SHA256 a7783d3209f385c1384012c7213f283183be6a9b8bf31b7316190f2398512c0e
SHA512 7f7f0f10c7f84ee3ed5eabe6a3a9bf66568478b4b0a61e8a42ab56d99757c3c1602b659ed004eb047b9e764be31e96cacc22b22f90c28b6c13c70b2590ef11ee

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 297ae6d8d796ff9e7571576b57f0220c
SHA1 bbeac7e0da19e15aa289923f33a3ffe95e23c995
SHA256 83669941e3a00ddde4e672acd19a7b86e752b347ffddb7d803e405d3296b1832
SHA512 b1d0062c5198fa3af685304c388f2a0e395657c7765d52dbf51a6f8b2f79fc37c1ece4edc35ca783d22a386b877e135a894e8dce7dee4926b8cb7ee57f1761c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 859961e08633f4f62c777e6d36f5d460
SHA1 449bfc756e647b856de4af5b10d84c44693985c5
SHA256 bf1ef14b23c159975d18e06133fdf549b0013f3042609aabd5dc14738f67e89f
SHA512 2066a345d78172061949f5fcd857e922bfd34163e618a4ca169c5f580c46773d0fcf67b121c61ce9e5841c66dad34552f88b133c713b9b4bd708720966e57a08

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

memory/3152-704-0x00000000006B0000-0x0000000000B69000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 5d0f70963d6002572e0cf609f41617e8
SHA1 7bb2ee26b54d7be76caeb05f73e11fdffb09c4ec
SHA256 4de69e1d7dd101b8494035fd6467f9158cc379ad42fa2dfcc3757d9bc5b0e49b
SHA512 0e6377d4afa2d61e5ce30f6b59a9238d95d93399b297e015046a3f5ec7f38bed92759cefed50c7d3e56a2c8f6e162281e33596dad643bf07a514b151628c1957

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a4748435170fbc651235737f646725f5
SHA1 2782cedb8e010df3f6e93f6e226d7c039025cab1
SHA256 90b6e3b7d521877caa3d9ab7046f3f923ecfd72a207d44f6f71e635e73a3f722
SHA512 8598fffb1e7f0968e4ef92930695cb80b505014b426bde090c26d1bbf60bd5b0274355684cd535c780f5d07489287c01c417ad629b573fbc26a12bfbbc9c79c7

memory/1312-743-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/1312-746-0x00000000006B0000-0x0000000000B69000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/1312-782-0x00000000006B0000-0x0000000000B69000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

MD5 36e5ee071a6f2f03c5d3889de80b0f0d
SHA1 cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA256 6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA512 99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

memory/1312-818-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/1312-820-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/1312-1055-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/228-1267-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/228-1316-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/1312-1627-0x00000000006B0000-0x0000000000B69000-memory.dmp

memory/1312-2308-0x00000000006B0000-0x0000000000B69000-memory.dmp