Malware Analysis Report

2024-10-23 21:52

Sample ID 240910-z4gznaxamf
Target 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712
SHA256 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712
Tags
amadey stealc c7817d rave discovery evasion execution persistence stealer trojan credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712

Threat Level: Known bad

The file 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave discovery evasion execution persistence stealer trojan credential_access

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Command and Scripting Interpreter: PowerShell

Browser Information Discovery

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-10 21:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-10 21:16

Reported

2024-09-10 21:18

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\6eb5ff5e86.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\053f231eba.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\053f231eba.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\6eb5ff5e86.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\6eb5ff5e86.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\053f231eba.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\6eb5ff5e86.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\053f231eba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\053f231eba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\053f231eba.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\053f231eba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\6eb5ff5e86.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\6eb5ff5e86.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\6eb5ff5e86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\053f231eba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\053f231eba.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3976 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3976 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3976 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3644 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\6eb5ff5e86.exe
PID 3644 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\6eb5ff5e86.exe
PID 3644 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\6eb5ff5e86.exe
PID 3644 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\053f231eba.exe
PID 3644 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\053f231eba.exe
PID 3644 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\053f231eba.exe
PID 3644 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 3704 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 3704 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 3704 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 1096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1152 wrote to memory of 1096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 4864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 4864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 4864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 4864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 4864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 4864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 4864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 4864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 4864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 4864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1096 wrote to memory of 4864 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1152 wrote to memory of 1992 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1152 wrote to memory of 1992 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1992 wrote to memory of 860 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4864 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe

"C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\6eb5ff5e86.exe

"C:\Users\Admin\AppData\Roaming\1000026000\6eb5ff5e86.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\053f231eba.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\053f231eba.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {361f3db3-f8af-4279-b01e-0a0cb5f3083a} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff5c8746f8,0x7fff5c874708,0x7fff5c874718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff5c8746f8,0x7fff5c874708,0x7fff5c874718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d027afb-b720-4bdf-bb36-65e48c7d9e08} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2704 -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 2976 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25f3dc05-ee81-4a68-9b7d-2df4aea98596} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3228 -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3676 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cffda46-414d-4e01-90f6-148ae176efda} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4496 -childID 3 -isForBrowser -prefsHandle 4488 -prefMapHandle 4484 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbaa580b-9895-48fc-8893-e80660683a71} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5076 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5084 -prefMapHandle 5068 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d187bbcb-841a-4e7b-af35-7ea4b6f74048} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3500442194228025836,5535943886462856965,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,3500442194228025836,5535943886462856965,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 4 -isForBrowser -prefsHandle 5568 -prefMapHandle 5584 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eee98600-c3ff-4f30-9773-d741880f6618} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5760 -prefMapHandle 5764 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79cb04e3-fc5a-4008-a36d-a1bb51baeacd} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5944 -childID 6 -isForBrowser -prefsHandle 5952 -prefMapHandle 5956 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {987db807-68a2-45cd-9350-63cb3aec4631} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,16638039516643793851,16025883657250897254,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.187.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 158.124.235.44.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
N/A 127.0.0.1:63893 tcp
N/A 127.0.0.1:63910 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp

Files

memory/3976-0-0x0000000000320000-0x00000000007E2000-memory.dmp

memory/3976-1-0x0000000077604000-0x0000000077606000-memory.dmp

memory/3976-2-0x0000000000321000-0x000000000034F000-memory.dmp

memory/3976-3-0x0000000000320000-0x00000000007E2000-memory.dmp

memory/3976-5-0x0000000000320000-0x00000000007E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 260bb7213697b9eab79cfff7cd5bebe1
SHA1 350b664626ee1dcf9fd7bca4cd04a87a4c11adf4
SHA256 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712
SHA512 2d8bb03f5b4ed992902aefa7535add761f74e981791bc9058d30bda43b53f92dc86d6e84e0703add200ba2987aa15de188f9eb493d4c8ecc1058094efbbaed99

memory/3976-17-0x0000000000320000-0x00000000007E2000-memory.dmp

memory/3644-18-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/3644-19-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/3644-20-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/3644-21-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/3644-22-0x00000000001E0000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\6eb5ff5e86.exe

MD5 ac12bb478b2ae055df15787d43a8dd61
SHA1 78b92499be7174aff470707436ee99eb5e1306f1
SHA256 7c4160768d4c205ed30a845b211a04a53f870d55ab8276f0c6de420a0345025c
SHA512 22b786889143f6886972ba6dad0d8617ef8f54536db514dfc5d9de8c74c22b7429fd0b4feea31fed1d928db46752d64615e94d56b856c1681dccc52f2f8e4aca

memory/1648-38-0x0000000000820000-0x0000000000E92000-memory.dmp

memory/1648-47-0x0000000000821000-0x0000000000835000-memory.dmp

memory/1648-48-0x0000000000820000-0x0000000000E92000-memory.dmp

memory/1188-56-0x0000000000690000-0x0000000000D02000-memory.dmp

memory/1648-58-0x0000000000820000-0x0000000000E92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/1152-66-0x0000000002970000-0x00000000029A6000-memory.dmp

memory/1152-67-0x00000000053D0000-0x00000000059F8000-memory.dmp

memory/1188-69-0x0000000000690000-0x0000000000D02000-memory.dmp

memory/1152-70-0x0000000005B00000-0x0000000005B22000-memory.dmp

memory/1152-72-0x0000000005C10000-0x0000000005C76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zkueobnw.uek.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1152-71-0x0000000005BA0000-0x0000000005C06000-memory.dmp

memory/1152-82-0x0000000005D80000-0x00000000060D4000-memory.dmp

memory/1152-83-0x0000000006230000-0x000000000624E000-memory.dmp

memory/1152-84-0x00000000062D0000-0x000000000631C000-memory.dmp

memory/3644-86-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/1152-87-0x0000000007290000-0x0000000007326000-memory.dmp

memory/1152-88-0x00000000067B0000-0x00000000067CA000-memory.dmp

memory/1152-89-0x0000000006810000-0x0000000006832000-memory.dmp

memory/1152-90-0x0000000007B00000-0x00000000080A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 983cbc1f706a155d63496ebc4d66515e
SHA1 223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256 cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512 d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

memory/3644-102-0x00000000001E0000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 3ca1c7e1475917a62d6cd04d5a58f7a5
SHA1 40cb1976f110360bb8245ba169b34cdaffc8117b
SHA256 04a490c774174484bf38dbb5ff47ac99e54b1575c7c4ef035558f32f94bb3da7
SHA512 b18cb83ad69f3f8e9ed4259b695ecd39de21b39a3014d293e93d1cce6d67109633e3b7198cfb52694416ecf64e7d239783df9f80e38784725c1edd0c95b9d6c6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\e59617dd-b71c-4de1-9297-c1fc81e62410

MD5 e53894ce02b0c5677e58e4fa17b8b00b
SHA1 93ae8ba8af66b3045c4992bc03b2e1d97e15907b
SHA256 40ba92db16e7b76f7d5eccfddfcfaf9fdada61d7413cd39a66d7d4d6961d0a12
SHA512 358b83b4c4ca97eb080b5496341e91626b009b42beafa53ec1e0cd2ea5b16183a646c335e8b3dc3d39001cede4933fce9a6d0d49fd5db5bb58ca04ddc63f41f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\d1a78dee-46de-4ae3-9309-78f495367780

MD5 5421be46d5c3bbcabce4d1a267d5b0ca
SHA1 beab05446ea57063dd932f683fe952f6074832ca
SHA256 a84ac0103daa3f1347ca83c2cb5bf6e4e4e3182b4a8e87ad455f2245248a907c
SHA512 38df61ecd47be86a48f84264f8d8687e8b314a26f0f57adb6f10049522509d8a5b1aa52cb01959c42729a00995bc3daeb123d79ffd2d9628ed8f5dcdd4b1e714

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 642fef074cd98e5f3f5fb8c0c8ee28f8
SHA1 4637417070aaadcc5c5ff29485b9bbd6e8dce9c9
SHA256 3247ba1c6ec428a20c5cf718bb30821f36e1126a779329341f9fcdb7b07e420f
SHA512 cda011565f08854bcfc4b7c886746eafcf6448d2d356d2ee8516284e12b30ba980afb326123fe9277cbc4fb1753371a0f7d16fe7c6cacf44ed8fc9330efa8de8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\4b017bcd-9759-443a-8e0f-949d6f96435d

MD5 18242f5a179a1a91d3f27d2eeaf80226
SHA1 9f87479f3672f82bb70dbfa18d0bb4807c74332b
SHA256 0ed5994ac495395e4a681d89d031367b517495d250066a07568d2f2e106acf5f
SHA512 2d2cf688305cb13cd6d51337931eda00cad91f5ecf91f1e39f8457cd95da33887588db89d1a625c6ada85b5ba4df675494b3802f53ad9b367eff2c6cb12f1829

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 607e1996d22a815c9738ba5ad7381049
SHA1 f6d5515b8c9409a4aa317b42ac34432848a88169
SHA256 d08a048c436b8d55978957b1e4628e0b11f81b75593791ddfa6d95503225c0c3
SHA512 839672e60711ac10300809b8126753c71ca7aae8a85b226c127634ac69058988f9d426100558cb1f76fd759bbc8b2b0b61ccffd48591909d3b3f3a3a5d8018e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 111c361619c017b5d09a13a56938bd54
SHA1 e02b363a8ceb95751623f25025a9299a2c931e07
SHA256 d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512 fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

memory/3644-367-0x00000000001E0000-0x00000000006A2000-memory.dmp

\??\pipe\LOCAL\crashpad_3200_SKWVYYMKXMJIZNUU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 62bd8a062c2eba9ae9e4c80fc4125603
SHA1 7b5886dd828510f60b2a7a0176bf9d9c0aad261d
SHA256 5e88d088ce5dacfed5e2d65a87d51b1587cfb09cb5365e746d44b15928f94b14
SHA512 973de4cb7919d3068f1b6b915ec8b0ce86e9f953fb11bce30276dcaae504d814ad7d99728f92994bcd374c8d5508a374224eb5f4f5a44b6fe38bc5c547748c72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 4c2f2d2b28db90385587305d3de31755
SHA1 2c7240879648dffeb5b76b0c0823e3539809b0a9
SHA256 9fd79c97df10e14c425a1bc6ea2d663ed5e448997b94a03b6a1a41c1fccfade1
SHA512 08bb136925e44950fde403e9b032d809295a428496ccc6f3f4fa4d290cacc9cebe80648d585009140faf581e9597cfe34d5c88eee6bffcdebaeb5f66b18f6752

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

MD5 fb8460ba5960f2ae218340f1fa6a6b0f
SHA1 74c11170984433ee9de40799fbb53357b349a086
SHA256 ea60467a94f0ab7592a10f232772f4005c92b7fa2056a82288107525d4cca02c
SHA512 8941a0e94047b5ba0b4bd80bfd49333a6dcbd42b1bdd295577eff17804b7aa8c2366cf60005f7b865fa01c88972d20f41be75d3ad3f608daa10d095d208dcf50

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 128e5234a2f64554d5909303b1a18a7b
SHA1 04df3f78a8a1358f8dcd71e29179b127727274bb
SHA256 3a862736b0565a155054a3cf1153347f7110b2ee9dabb40fca8b35fd6ad61d7f
SHA512 a926e5bc871898ee43fa222a50335b4d9a820fa7a714d715d5ae1793f196dfccf96cb4e18d588c0bd275fe73d1f7199b8ade4f3160a1d974136978d3766e95e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eb4e1b49c98f5223099ffaaa70421132
SHA1 bf1e4dfe793d0c3acba5e097010ee5f5530fe4b7
SHA256 72d76d10a63c5ef4d622b427605b112f09925b6906158e90f42a413a11f38360
SHA512 f011f5c5456248ee98b587e53411c61d172de9d7b75e21dcdfaa470bbc0a78a8aec3b9ac15d78cc42fc616f8690aa637e9bf8baf936d30949922baca80351cd0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 a4c0523c4cb47c933fc7de2805c3a4cf
SHA1 585245a3224a39482ea5524dfa1d9eb9d42aa782
SHA256 b24df93be100b131cfdf28d1a2c206d8ef46250260ebb2d3e67aa0e260c702e5
SHA512 216c4d076ec25680cacf787e69a883eb3893dd5b274cfae5c74da23234405087befd07faae51889e1856c9ef5c8fa956ec2c4b89829bdae71f5dc5af21a4130e

memory/3644-488-0x00000000001E0000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 872cd8d4a7bdad30660d6dc8b69ea2e8
SHA1 510aecb72a0022a4efef7d166c6d9e4f5f9d72d3
SHA256 6f5e13041f10573377da742f9bb9416d792704439c3a3763d4ebea058bfe077b
SHA512 1eee08322604d6b7bf555a509dde6623c30e0d15ab37ce2ed5ef563d5f0cd4856784edee6fbe1de31ae050b12a62c4c3de9e27532ccd0e32b10e5feed8ff8fbe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 6a9ae39b4b8e2b9bfef21610ae39f1b0
SHA1 c8390085af77abbfd00ae54e4e1fe111dff42fe3
SHA256 c059f3377dffea48efd75160a92f57d2f30b4aace7a304b52915471ff0910e52
SHA512 8c37aae6a850fbeb3e7f3b0eacd37fccfaf5b88979ff17c0765e7cf781e9894fe1a456a4d743bd30b746c0cd53faa8770dae432848ac3babb4fb9738a4f22263

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 163aca5d77bf6b48053d04a4d76db0cd
SHA1 b695684b1335552f44e05edb9eea8d751e552458
SHA256 0ea74bc275c9e33414db74c7af4da8a3204e3490dd01d26bf5f1e50657e5d1b9
SHA512 ed13d480d9d7d9c6b96ef7e15f814691ebd1c158ebcacea86ffa693f011f62b8ae3bdf0bb8463f0f017277ae6c149c32eaaa83e129f6f6f748f4042af299a96a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a714a25215e63b9d2076e0227ed617fe
SHA1 839120f299531ada7a40610c40db47d2286ec03d
SHA256 33d739772de34f051b64ea84ce6f584c46113ec8f1e0f0448dc90629bcbe9a21
SHA512 a4e1ddfbda95a4174b5aa5329b1d577528e071ebc1db53ef07690afdf55be002b4c4f8797287cd8b54b88252dc06880c1fbd6f4fc17d10bff3d3b11201aba64b

memory/3644-650-0x00000000001E0000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

MD5 cfd60873d851ee2520d1fcdd879b0a0e
SHA1 5a745eb4bc682e6195f3f3e8eb06cce4a6476409
SHA256 084b1f467fbb263c189f7dc6d155077d921eb331f219250ee1f87afafe0fc796
SHA512 5c10ff72e93d273b80ea1fdf41c66172f665368fe580408df93f11198dd0b33e4a5062df5d2bcae771479c50ce651ec3de1f3fc5be043f0b5006518148e68f7f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 e27c7be941361616a4e8090e57f317a5
SHA1 3edb097758e29fc149cde6078e6509d36313c7cf
SHA256 a05fb840dd7fd7498f1a13100f7ca102cdf386de931d50dd6338868cab54f0f7
SHA512 8f821baac7582de26a461e95c8384ee78e561a34660d4542508eff0997be57ac2d3ba745828fb27132dc1ca4c09b78712264cbacb7aeb821e4d7ae23c026986a

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 e641f3b225b89ae91e9d72f24177e946
SHA1 69610ac4bf3abaf60588b8d5c1ac1614d7f94131
SHA256 875fa60bbd79f1b8cafdb2d0852eba369c789d5865718e164eee5e777f5ada9a
SHA512 d74c445d6bc141440e935458067944c0d8560b2fe6fd8a2d7de622f3fb5c712df639378de237466ca7d81475dccc39add3b11aa1b8df684b0422fa38881759ac

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 add89a86a48b11acdc9c896145032aa2
SHA1 3c35fc13fe9107b2a7845afda434e60090c0d818
SHA256 62f86e01d6dc639c95a6343a3adf076f14e9a501bb7e551548e04da945d000d5
SHA512 4997612acf02ebeae0a2af490fb268f0083c401d2cf820eb9fa6684f80eaf99b61fe18ebb16f2ce18d44792ee112db2f237e3b724f17bad5747c3641a39009b2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 b036f12dde74bc8761debbede3ae5c3c
SHA1 14f6a661c1043f1e34d0e06d9ce3123e7bebe230
SHA256 255460fbf8efa6eb972d1d3b98c0642d1c9293a3dfb6fa7fd573a72381ca7a79
SHA512 09ab530cff5f6777f472d66af8b246480a8e88f107590fc680cd19328ee58c53bf6c49e2c89aea620f1726cc0901f1c6b911f4eef31a1e2d0135f157acf8b562

memory/3644-785-0x00000000001E0000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 c900251827328d8a4862095326afb559
SHA1 f458d7a1d3540e3c76e80d75e52cf952117faf54
SHA256 986837d2b364f7ce71082ee9ce07d1fa7efa06bda9228124d7d0124cec1ef299
SHA512 e6023faeea5314309052c2b497367ea0b2301bd7cb0c878f30fa0902d62060b9bac6e05c1b5fd3c49d0e052ef4e34fe7e6a5f0538d6f66d0993d8e8dfdd71039

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1dd5ee10f083a1246fa464187473d6e4
SHA1 1e963ed0b358b70d0dd26bf03ed64e8726dde4e4
SHA256 52c970babb871cad4370156be576d656c6e9f02e3caa4bd8b6e524ee4c0a851d
SHA512 71f38a3f2f856353a115474e413c97cf37f6664d8c755c3a00b5d18fd056bac4df25ba994218b05d68ee4297f322f9d0cc7f33d6d15b458b61b5f5c66daaea78

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 027c3d7ebd701aac41a498ecf6c0bdb6
SHA1 c4b5ba576279e55aeaf098ccd443eb2e9e62c841
SHA256 b9bd51156a2b94f697babe3804fa63d0bf19d843c013dee3a1dffacaa2d49a93
SHA512 b2a3045331b26c96785a17cb3f879496f0ff1cd2fcf9c8bb7acf64770425217694bec9d877b0d617fc2851300e4e2166db55320a8eb7ecd92473a7593f61c896

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

MD5 b172ac718a0bf2464754594c9dfffe44
SHA1 32e0700d0ffa9de7e971091c2327833e5328e3e5
SHA256 98d0735c163260fdcd1782cc48619fcf25fd935bde4d65e8efc9f8425ce8a651
SHA512 8c7db529513adbfd237f806c001a1ebb1abce3522a3a1c6eb31617b75f4d4513dd8fae26e0a684330de5052d4f958b9d0543bc200455d1f2177566359d63911d

memory/3644-2780-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/5348-3270-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/5348-3325-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/3644-3596-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/3644-3608-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/3644-3620-0x00000000001E0000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 cd46a25a8ad570b7c441be983919b6d0
SHA1 7400025433e401404fe5c44d39311edbcbd984b6
SHA256 812bd94238da6606d0a19d83e12ef7e2e89406b64ddb71ae738defe55d243506
SHA512 a381e1b19bdd54149fe757d1156539610e36afe8a6a7e0d7e1acf1ba38091ad07b60dd5a6fa2420b5e0a1b83d6ca2a10dd1937128d9ce29b68dd223c6463d043

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4f3b85ad0bda26134006debd80117cd0
SHA1 a387610866ca12334d6229f4d0659ba0f686f512
SHA256 ff8b9c4d725e34b3b2236c1d6722170f4cc63a1e83323449b39a43561b2cd69a
SHA512 c52613fc81098a891a8d3174ecb937ed77fe105fe1542dce1e6f1e0985a8729e328693a89392bea5b834034b6ec6dab8622748a66aa130b0511dd10a817849ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d017b50bb9a761c5398e01b5f256f6ef
SHA1 dbe17c510d13a4daf1d4a4565cc224226c74e8fb
SHA256 dd818710ed5667fe477e2bdfeb8dc4da20169effc1d0e785d564cda4e526ad69
SHA512 acd2b94e71bab6729a4f04967c65b79857f1a8842f53cec052e4ce014f95879700601a93be778664fbe6708cadec64d96cff79d60d9faacf0dffc3f78bbae67b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5906ad.TMP

MD5 5929a6f863773c5324a8fde09a3eb969
SHA1 6b2bf60dca7218926e51976639b9b642dae6b7a2
SHA256 8e78addf76ecf14629137ef62769a8a555e7ebc7d36aef9277186495130b9f5b
SHA512 61fc6014272edece9cb5a65f9d7ed8ac299c14dba6521aaf14eb1bbc5e86124c4036ccd0ac848875a25e229cdf1641a9003bb12fded87cc5e77b059cbd6c772f

memory/3644-3654-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/3644-3655-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/3644-3656-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/6532-3658-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/3644-3659-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/3644-3660-0x00000000001E0000-0x00000000006A2000-memory.dmp

memory/3644-3669-0x00000000001E0000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d7e1c3aea099309c0e37b3556093887f
SHA1 908d4940958ce1f81fa407750e5fec289969d082
SHA256 e4083584b0f2be89eb7730a2620595b002a336021ec611a58dc5f28673dcdc95
SHA512 27140faa14ab1f854b08950fc00a41f3e8c52dc2907220998808140e510a274d442eeb585314e613fe919da0794775e9d73f7531a47194b0200ebc813cbd701d

memory/3644-3686-0x00000000001E0000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f7b34ab905f6d1d2a7a45bb832e9f42c
SHA1 c84bffc0ea1eddec6697ac3bf14a8997245cff42
SHA256 06455dc23242817419cfd21a29a1fc8c4cad273593fb77f372756eb6fdf0aca7
SHA512 20fcd88200b9eaea3f22130d49a9afc38f87074bed205276f176ce6461c83fe31119f256d09a3e9760b1d5d0a6116e8e90f1ee533a23063e6ad4a00b93edffa7

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-10 21:16

Reported

2024-09-10 21:18

Platform

win11-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\dd9f190bfa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\7c342b0567.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\7c342b0567.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\dd9f190bfa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\dd9f190bfa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\7c342b0567.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\dd9f190bfa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\7c342b0567.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\7c342b0567.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\7c342b0567.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\dd9f190bfa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\7c342b0567.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3792 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3792 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3792 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2064 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\dd9f190bfa.exe
PID 2064 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\dd9f190bfa.exe
PID 2064 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\dd9f190bfa.exe
PID 2064 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\7c342b0567.exe
PID 2064 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\7c342b0567.exe
PID 2064 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\7c342b0567.exe
PID 2064 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 3640 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 3640 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 3640 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2408 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 2408 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 2824 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2200 wrote to memory of 2824 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2408 wrote to memory of 1448 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2824 wrote to memory of 3788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2824 wrote to memory of 3788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2824 wrote to memory of 3788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2824 wrote to memory of 3788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2824 wrote to memory of 3788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2824 wrote to memory of 3788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2824 wrote to memory of 3788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2824 wrote to memory of 3788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2824 wrote to memory of 3788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2824 wrote to memory of 3788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2824 wrote to memory of 3788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3788 wrote to memory of 1960 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe

"C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\dd9f190bfa.exe

"C:\Users\Admin\AppData\Roaming\1000026000\dd9f190bfa.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\7c342b0567.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\7c342b0567.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {930ddc86-e6a5-42db-9593-c4a708de71ea} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76eccefa-2153-4a22-aca3-815cab0845e9} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 3128 -prefMapHandle 3084 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bf77422-489d-4aaa-ad03-3c0cbbfa3a37} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3476 -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3460 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9ef9ece-e9c9-46e2-b737-9e8748aaafd4} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -childID 3 -isForBrowser -prefsHandle 4372 -prefMapHandle 2584 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {806ff89e-6306-48fe-8c74-54af50807196} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4944 -prefMapHandle 5060 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54d41f8d-be4a-41c1-9c69-0f5062bc2a71} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -childID 4 -isForBrowser -prefsHandle 6020 -prefMapHandle 6016 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2714bdbd-2280-4b22-9f4f-c9f7228bfa0a} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5944 -childID 5 -isForBrowser -prefsHandle 6152 -prefMapHandle 6156 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54ff1a86-cf57-450d-97ea-17937fc69187} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6428 -childID 6 -isForBrowser -prefsHandle 6344 -prefMapHandle 6348 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3e4788d-c697-4eaf-a797-72c2b52cdda7} 3788 "\\.\pipe\gecko-crash-server-pipe.3788" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
GB 216.58.212.238:443 youtube-ui.l.google.com tcp
GB 216.58.212.238:443 youtube-ui.l.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 216.58.212.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 142.250.179.238:443 youtube-ui.l.google.com tcp
GB 142.250.179.238:443 youtube-ui.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
GB 142.250.178.4:443 www.google.com tcp
N/A 127.0.0.1:49850 tcp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
N/A 127.0.0.1:49857 tcp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.179.238:443 youtube-ui.l.google.com udp
GB 142.250.179.238:443 youtube-ui.l.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/3792-0-0x00000000008A0000-0x0000000000D62000-memory.dmp

memory/3792-1-0x00000000771B6000-0x00000000771B8000-memory.dmp

memory/3792-2-0x00000000008A1000-0x00000000008CF000-memory.dmp

memory/3792-3-0x00000000008A0000-0x0000000000D62000-memory.dmp

memory/3792-5-0x00000000008A0000-0x0000000000D62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 260bb7213697b9eab79cfff7cd5bebe1
SHA1 350b664626ee1dcf9fd7bca4cd04a87a4c11adf4
SHA256 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712
SHA512 2d8bb03f5b4ed992902aefa7535add761f74e981791bc9058d30bda43b53f92dc86d6e84e0703add200ba2987aa15de188f9eb493d4c8ecc1058094efbbaed99

memory/3792-18-0x00000000008A0000-0x0000000000D62000-memory.dmp

memory/2064-16-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2064-19-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2064-20-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2064-21-0x00000000006A0000-0x0000000000B62000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\dd9f190bfa.exe

MD5 ac12bb478b2ae055df15787d43a8dd61
SHA1 78b92499be7174aff470707436ee99eb5e1306f1
SHA256 7c4160768d4c205ed30a845b211a04a53f870d55ab8276f0c6de420a0345025c
SHA512 22b786889143f6886972ba6dad0d8617ef8f54536db514dfc5d9de8c74c22b7429fd0b4feea31fed1d928db46752d64615e94d56b856c1681dccc52f2f8e4aca

memory/2072-37-0x0000000000080000-0x00000000006F2000-memory.dmp

memory/2072-38-0x0000000000080000-0x00000000006F2000-memory.dmp

memory/2072-39-0x0000000000080000-0x00000000006F2000-memory.dmp

memory/1132-55-0x0000000000D90000-0x0000000001402000-memory.dmp

memory/2072-56-0x0000000000080000-0x00000000006F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/2200-64-0x0000000004AC0000-0x0000000004AF6000-memory.dmp

memory/2200-65-0x00000000052A0000-0x00000000058CA000-memory.dmp

memory/2200-66-0x0000000005080000-0x00000000050A2000-memory.dmp

memory/2200-67-0x0000000005220000-0x0000000005286000-memory.dmp

memory/2200-68-0x00000000059D0000-0x0000000005A36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hzh14xf.omd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1132-74-0x0000000000D90000-0x0000000001402000-memory.dmp

memory/2200-78-0x0000000005A40000-0x0000000005D97000-memory.dmp

memory/2200-79-0x0000000005F10000-0x0000000005F2E000-memory.dmp

memory/2200-80-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

memory/2200-82-0x0000000006F50000-0x0000000006FE6000-memory.dmp

memory/2200-83-0x0000000006450000-0x000000000646A000-memory.dmp

memory/2200-84-0x0000000006EB0000-0x0000000006ED2000-memory.dmp

memory/2200-85-0x00000000077C0000-0x0000000007D66000-memory.dmp

memory/2064-86-0x00000000006A0000-0x0000000000B62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 e75060d4fb9e59c63251b0b8787a7611
SHA1 483a611a1801d8df5228faaebfb5e980da2ff5ab
SHA256 1f5cde8286eb4051900392024aa6621417e7e4711b70dd4a3d73a519bc303232
SHA512 683d92dfbcfc80569d4df881f5a121e1aa8b1795975b3e7b2c194f177ada85a915972bfbd75940dfe8d5d2e04dfe09decd999e9d7f4f740d9c4599abd39daf3f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\c20d304b-6977-4b66-a862-2a195157f70b

MD5 19a291235d45d2b7dd8c38f9f2a4633d
SHA1 758b495dd3c4e8f5791a9a189f196e2698c43660
SHA256 444b905cba4e6bdd92d0475c43b069873e04da66679179f392042e1d8f3e7ce7
SHA512 fc5f7166bc7ca6a1121b01be3989cb70eecfbeda27c6c0bd0daad7831aa3e97269984b8d26a7a4c2ac58261f54e2c62523f8df405567f901f9759fe4ac8cb425

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 b43971a6e1e2796f4a4eff482187786d
SHA1 b0bf63eb0f517b99850e3c1c2f26bf6177994a53
SHA256 7a3f2f846e56ad465733b76fa5909738211b4a29ae618b535b7f3650492005fe
SHA512 b0307d7ec1da01515d80cd49b700ce0de682034f4d4d0657cfd196c6f9b2e3788d6b638e65580a3fcfed49880e5638b37aa318f615fd1fdebb129e3a73e32624

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 f62d5f10fa6c604324723654cc13ef39
SHA1 5cd1e9f0364099ee32d783a731a47912c9716577
SHA256 643c64596269c9d4d3ab1eca336abe1b5c974ae563942892b74ae7563c0b4815
SHA512 1900ec3eff09a4ef085e56df1703734446240318fe30cdefe4c18edcd40ab4598b9943cb24915612c92f3c6fcd3a1d90e4334ec5aec4ac0a8242be254e6b29f2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 ceca88367dfbd656805c9af0468ba96e
SHA1 0cab80d06894b3c7daff476c647b7cd508b307f1
SHA256 ee11a2e54723061c801fc72156b3162b4b23b98f928d04cba3f2a043b6cb4f30
SHA512 c1f65c856e04171feae86c7239f3133e9ea387374646777dcbaf5beba4db3a76253b9a6e711d2f68389c2224db60b1b0f0b0597014226187db8800f34ce9debf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 800c76e7526bcebb4400adfde150be6c
SHA1 6a4f863e721eb778bc27da83c1bc2471dfb2f1fa
SHA256 3764705cd38c04bc75a722dbef61f7df135f0e3b2cb97b59ca567fb0a0b86865
SHA512 f1b85c41f8729ac54e6094129be0a82b42eaf6d48e62035efb4067bb3266e2ccf0e1264843e0dfe8511007cce5c2b85b92a79400ec9a4d434883571d31134d85

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json

MD5 4ff863e7e635f1e4555492fcd2d14952
SHA1 2386452435b972ccde589231d7e82c05dea00b6b
SHA256 87e6f60cae3c4014caef25924360d3c4529bca9c49a045d697561e7b538904eb
SHA512 7b2db2df5a0a2ad844e2f089010327b78366519adbcf04164d0d71bfb0b3930009de978f4d4f7f0890a16ee959ee5024a0506333e58e841809763e29ad9db0e2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\bbbc9cf2-30ef-4bf7-b143-851182dd9e09

MD5 e5f47d37c97ef367c5e93dc50ca01e50
SHA1 eb2eccac7ae5bb3cc4488e1abc4711e1702c65c2
SHA256 85bc21c0fca66140941391435f12de685512c0fd885777ac782ef9153ca80158
SHA512 753414f1742f22c48359d5ed314efd03b6db6c42a9fd386436fb8c85729d5f455888ab83a1985fe314a59720e9ce9daece8e586c96f1981e61e26b210fa00565

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\99f3afaf-ab69-4381-96f5-12ab53c973d1

MD5 e7bbedb6c98e388c1df2b012ab3cd65c
SHA1 9cfdad227d54d8eda696e1aa749a637b5f479f1e
SHA256 a0b3ce3d8e45e6cf02e0b9481b0813b344a239dfb44ad73f3bb0360412128118
SHA512 b61917e3ccd50dcb7931fe80e75cce8f5726bc5a107ef19dbee9663b06c4cf1f8663303666042a4079a24e618539dc640f057a0a2e8cbb1bd06e58fab3ebaf91

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 20b543acb728a97c2a3756ae60343663
SHA1 b54980b3ba14bb231f18acf05ec3b1486f1b8125
SHA256 1a33cb2e4d18e38c4860245aeb731ad49bfbb530524e710ca166dca54b554377
SHA512 dacc75c0624ce1ff026f38e97388d772293bf32911c682e1128c7c141ac0ecd73a41c97e951014c29768ca25d00bad0a5b8658ca28c2ab6a2854f118a908f345

memory/2064-108-0x00000000006A0000-0x0000000000B62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 ef832732eb65aade7aee4060121771c4
SHA1 8685383da4db251551ef335d96e2e7ddf5247672
SHA256 ed884db582e57b810401afd76a99e2d3b4c5f2c6951e9f1580597467bc8bf8d9
SHA512 3e1f1fca3834ee178530a895e9d3b7797c60a38577126b95a25829b6ff50c3c525fa19416be576d2985265ea9864cabcb820fe2c4312e49174c47fcc2f5bdf45

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 b01a81397bf070863adc8abcaf664286
SHA1 1055f9d6b2d36cdd278ffe54593730a6f9fcf7b3
SHA256 4038a813514720e740baa30dca5c1ad9482dbf2494f2deea6a56a6b3ddaa0473
SHA512 5972d8c6c231109a87f88781f37c075c3100f9a7c0b9489ae0478322a66fbd88aa5abed458a277fb7dc71371156f91c09a301ecab9b6bb15ff32a1274b91e322

memory/2064-465-0x00000000006A0000-0x0000000000B62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 ba4dc9b651697e03de19c6c72e5fde56
SHA1 d114673c9436ee7a0bf195778557250d31644e45
SHA256 5eb0933bd1380eb7e5a8f62858576596b6474169410ac8c286b954b4fec638bc
SHA512 d2dccb2753eda6cc95bfda63d6193111acbad55c8297a4f42e3c7aef4252c79996b656223fc4d97d7571dd7986ca927f046b260d8ce9c6d8753702f23598fe4b

memory/2064-511-0x00000000006A0000-0x0000000000B62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

MD5 9c290386b07fdb684133ec1be1c2d800
SHA1 eb63d127fd1dc49440cb639b916dfa6446c95755
SHA256 91a91f6a2392c84bfefb720e414b3225a1ff702a6b738b53ff6eba7ca29dfb81
SHA512 c11eaa12ea4ba51deb01e7be654807d1ecf783b9d4d0f6f1ca4ba7835ab8b399c1cbbe97d618b08c6a142696cb71cf7797ad1b3065acb47847734987067c0528

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 68e55823f4d2a3cfbdad4b84f7cd0347
SHA1 d8fea4d9fa94944602b3e96924e651aaade06abd
SHA256 29b71881ac9d1f28b6319f5ffd7077a9e3bb1e67f5a22c057041d4db009a03c8
SHA512 501536decde2838ae8d92d64e1e02b9da66353122f81b87d643dab2aba4191d6235813bde58fe2cf65821ca23c1755b933d53234f5dbf424e992dbba5cad24cb

memory/2064-518-0x00000000006A0000-0x0000000000B62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 9e512f6a6c1032836569f497a38a86a2
SHA1 a7382713397d4ffa1250b289fcb5994d21c253df
SHA256 0dc1306763de4e4dd539adb7922f9b2417f88a9ab1fbfbfee335101824db0cc4
SHA512 5684c1f854b2d00011d0f870500aa7a9b373bf6f80737a0ef780f3ae42d57e88171453d542b068032da6bd603686598b6759772ef91799d3f32b72e1c9702912

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 d505587a41713ea1de6eb35fd82d14b4
SHA1 d675fa61a3d3d13c34908941ef0dd9a55bb5d801
SHA256 a16f76d32717aad550075ef404fae73664a9a5d05ccf28bd73e6aed6f425cbce
SHA512 94b9b5b959b5e102a294b6c606ed537a263ee822c8ae9bb90abe3afe6fa4b2e7fa195289c0a5b181dc53f5fe7821b68486dff3708afa5903253faccea0c8dd05

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 79879e98c1529a4807e757461e26ae9c
SHA1 14f08571dda34244ab29f38fb9a4ddff172b902c
SHA256 0e8031c5338658cbe4f7572e6c5ad2004c9777fa74f239e63ef20c8a372e8fad
SHA512 ed1ec1bb66cf7e4ded81c7136f1969c843ad0785070a31d925ff85058dc767bdf346910ba6cd4126999b2db53eb4b588fea24d49ed7a1bd43502e2fce90bce8e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 ddffad26f1510988bd835a979a33e40f
SHA1 66732bc3a929492e9f1db596d856d1d3abb4a2e1
SHA256 7f1414d10b52c685e4cc76650ace6c85a4d5fa80c18f170bfd9882fd34674032
SHA512 3c7451db7591162693c14e8fa841442d47a4037336067bc861da1094e59930d089d21b677af22e2de6b4030b0835f7f353479df1977e1e3b37a97904cf73186b

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

memory/2064-1633-0x00000000006A0000-0x0000000000B62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

MD5 b3dacf023e3328aa533d621b4337a503
SHA1 02e9677c5059f77d5f92ddc8d03ab4f7eee589c3
SHA256 d3f4fa404d8e60c0fb2a572e910da2c62e5fd7185c97c114f5269a2171e93ee7
SHA512 c6dbb344e7b44c1e9ded831781b87fbf7a639154b92cba5e6e4375ea03c33f370d2219f61579a4fbda19dc000d7462765b4bd8effc6450ca28d3a91e5afedc7e

memory/2080-2563-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2080-2634-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2064-2914-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2064-2916-0x00000000006A0000-0x0000000000B62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 2afdce0480d7ad8c287beb0dad6ca9ac
SHA1 144e4f0999ff1a83edd94b192cf6de33891cdf5f
SHA256 c9321b1d1e27d45cd4b7401790937506cd3e79a40bdc3f0bf87650fd08c68463
SHA512 6955bc2671dd4e8eb4962488eb6c97a3c6fe40cc154aed17958831cf79328f970f35fe1ee438c07e226a6f0fcb612601c7c8dad6b1f30649a520660cc9fe8ed6

memory/2064-2923-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2064-2926-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2064-2927-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2064-2928-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2756-2930-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2064-2931-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2064-2932-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2064-2942-0x00000000006A0000-0x0000000000B62000-memory.dmp

memory/2064-2945-0x00000000006A0000-0x0000000000B62000-memory.dmp