Malware Analysis Report

2024-10-19 09:08

Sample ID 240911-13ptjswbkn
Target e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d
SHA256 e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d
Tags
amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d

Threat Level: Known bad

The file e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Browser Information Discovery

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 22:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 22:10

Reported

2024-09-11 22:13

Platform

win11-20240802-en

Max time kernel

148s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\04a6a77fb7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\a0bf0a3095.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\a0bf0a3095.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\04a6a77fb7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\a0bf0a3095.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\04a6a77fb7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\04a6a77fb7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\a0bf0a3095.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\a0bf0a3095.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\a0bf0a3095.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\04a6a77fb7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\a0bf0a3095.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\04a6a77fb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\04a6a77fb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\a0bf0a3095.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\a0bf0a3095.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4904 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4904 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4904 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1476 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\04a6a77fb7.exe
PID 1476 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\04a6a77fb7.exe
PID 1476 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\04a6a77fb7.exe
PID 1476 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\a0bf0a3095.exe
PID 1476 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\a0bf0a3095.exe
PID 1476 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\a0bf0a3095.exe
PID 1476 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3656 wrote to memory of 3212 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 3212 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 3212 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 4752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 4752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 4752 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 2848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 2848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2848 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2848 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2848 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2848 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2848 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2848 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2848 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2848 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2848 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2848 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2848 wrote to memory of 2424 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 2272 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3656 wrote to memory of 2272 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2424 wrote to memory of 1648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe

"C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Roaming\1000026000\04a6a77fb7.exe

"C:\Users\Admin\AppData\Roaming\1000026000\04a6a77fb7.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\a0bf0a3095.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\a0bf0a3095.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1852 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {134e2b8e-157a-4248-853f-f58a80911626} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fe0cab2-dd3c-42f3-bd7d-659b9903c82e} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 3244 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1eacf76-ba19-4977-8ae7-9c892c077799} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3504 -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3492 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {250f6a34-4e32-4d01-92d8-c95686f48b06} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4152 -childID 3 -isForBrowser -prefsHandle 4144 -prefMapHandle 4140 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce371d2f-6344-4cfb-b4c1-6fb4d8643a5b} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5136 -prefMapHandle 5100 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbb69636-d268-4fb5-91dc-11c3cffcb760} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5948 -childID 4 -isForBrowser -prefsHandle 5876 -prefMapHandle 5928 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd0ed4f0-1b19-4d15-9ce2-94cfba9ad98a} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5812 -childID 5 -isForBrowser -prefsHandle 5564 -prefMapHandle 5856 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7d891c2-147f-4239-bad1-4b8556d56b66} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4424 -childID 6 -isForBrowser -prefsHandle 5780 -prefMapHandle 5792 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34ce69de-0a3f-49e7-9bb8-f41a3da9ff69} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 172.217.16.238:443 youtube-ui.l.google.com tcp
GB 172.217.16.238:443 youtube-ui.l.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
GB 172.217.16.238:443 youtube-ui.l.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
N/A 127.0.0.1:49847 tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
N/A 127.0.0.1:49854 tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
GB 216.58.212.206:443 play.google.com tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp

Files

memory/4904-0-0x0000000000CB0000-0x000000000116F000-memory.dmp

memory/4904-1-0x00000000775A6000-0x00000000775A8000-memory.dmp

memory/4904-2-0x0000000000CB1000-0x0000000000CDF000-memory.dmp

memory/4904-3-0x0000000000CB0000-0x000000000116F000-memory.dmp

memory/4904-4-0x0000000000CB0000-0x000000000116F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 7f8b4777a6921d7fe085191955d8f9e8
SHA1 0157193e769423cc5073c6e0f48b2cd879c06497
SHA256 e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d
SHA512 1d9fae6f2289e3b4818d718d45860dbca8bbfd577ef9a082336be43782a280a54bd2ca038753ce19b1ea7cc9e2f56d3b3cd30aeda1a550cd06cddb071cf73964

memory/1476-18-0x0000000000360000-0x000000000081F000-memory.dmp

memory/4904-17-0x0000000000CB0000-0x000000000116F000-memory.dmp

memory/1476-19-0x0000000000361000-0x000000000038F000-memory.dmp

memory/1476-20-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1476-21-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1692-23-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1692-24-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1692-25-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1692-26-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1692-28-0x0000000000361000-0x000000000038F000-memory.dmp

memory/1476-27-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1476-29-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1476-30-0x0000000000360000-0x000000000081F000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\04a6a77fb7.exe

MD5 50d7b4ddde987f738f29064556b31177
SHA1 8665b718cf44194c50d2eed8981b8e643debb98b
SHA256 0c38ce400b5a99c4d0350fc0e3a5c8f7bb366d73ba850ead3bd63dcc709941c8
SHA512 4cd03621fea07ca785792fae5fd4ac36281ab0718c1db0c4b6d0bd63a57ff1bf45ce5852b6c84782f2eb153fb7c5acde8096fe407dd5acf454bf0b9aad0a21f5

memory/1476-39-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1496-47-0x0000000000080000-0x00000000006D7000-memory.dmp

memory/860-63-0x0000000000C90000-0x00000000012E7000-memory.dmp

memory/1496-65-0x0000000000080000-0x00000000006D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/860-74-0x0000000000C90000-0x00000000012E7000-memory.dmp

memory/3656-75-0x0000000004930000-0x0000000004966000-memory.dmp

memory/3656-76-0x0000000004FF0000-0x000000000561A000-memory.dmp

memory/3656-77-0x0000000004F30000-0x0000000004F52000-memory.dmp

memory/3656-78-0x0000000005810000-0x0000000005876000-memory.dmp

memory/3656-79-0x0000000005880000-0x00000000058E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mgyrpmam.xsr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3656-88-0x00000000059D0000-0x0000000005D27000-memory.dmp

memory/3656-89-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

memory/3656-90-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

memory/3656-92-0x00000000070C0000-0x0000000007156000-memory.dmp

memory/3656-93-0x0000000006340000-0x000000000635A000-memory.dmp

memory/3656-94-0x0000000006370000-0x0000000006392000-memory.dmp

memory/3656-95-0x0000000007710000-0x0000000007CB6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

MD5 96cc54f8f053a6a792346656729dd3ea
SHA1 df5d351413425b8898282be1394ae90c45c055b7
SHA256 ecdfb5370a42f2fed99879a703eb3fa25605d5444dde5d79ae223da7e69306b0
SHA512 75af16c0015eb51ca1122120f14f45a1feb2a9900585b339b6db9fdae7e1e91c6c48b64f3666570375ca25ee4d530122f5acfb4869e93d2242a3532b91913fb2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 87b9bed164226f029459fc2d94b8e32b
SHA1 1473d107d6646cc1c9d3ef708a0e7f5dc1da7e42
SHA256 7ae2bca0cfd9796a527fd2c01907f31b3b7070a965d3edaca2a40f5c9e54e6be
SHA512 886d534b8cae54f98ae6169a4ab9cf45b37ba7989a1ceabb67bdc7bfc2075d9a856b5627344406f8c1dde95e1d1c65f36184df5f7e2f85f9fed00ca66513662b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 6e4cc98c6e54b65eda6dad99839890f7
SHA1 e0e6b6a6abe8936c13e2f2b2a4498889c3a34d18
SHA256 7837db1cd2d7007d7b327ad7e3b8bc3f08906e4d528a578bc80b648f9341a223
SHA512 a5911b0731fc572bc597f64e83c5216d357dd60c4f751f74e2d84447524aa2979987a830129cc82e10de3a77640c80ad977b701ebe54feef47d8c25ce4802f14

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\f811f0e7-b390-46d2-81bc-aa12cba765e7

MD5 5b1d4635f95fd6cd081a9b9f0a3593df
SHA1 8fa917a1856f9973ec8fa394a36269b08a91c01f
SHA256 02b7978421022c727cbf311f9c9af8bda4930e105af91c90abda16e527bf34e2
SHA512 8eb024796b5cd78c3287ac707191fe42865361f5ae791f950599a723b25a33c7fe93bbe041cf6ec61ab302fde6047da74d8fd6f2dab23e141ebd05372298a853

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\7ef2a909-3f40-43be-b26c-e00d2855d60e

MD5 e04e5c195ac0d81bfffb92b8b8dba903
SHA1 b3af8e495be231080fda64ecada816853e21afe7
SHA256 fd764fd7244b896a521c21ed7839c9c9583ecc477e302d86cdc543b216357689
SHA512 8775b92937af023d15ca2b7ecf2e937ff03f4d8dade8f212ccd50dc5dda1c2b9d6f138851eda9c67054682e01c4b8551032b4cbaae7e5db620e431d85865b7ac

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 2753315fe7dc4a8c896007ecc4cc3008
SHA1 55325e2aedd713034c28339d45c2008a9313e5c5
SHA256 68c2d91a834499d876bb3dd5c7f4fc5d3812831d80d41dc67ec53fe8cdc8d490
SHA512 375c6a14b5e12f7ac0cde2cb0a69a8600a98cc90097ac0adade3b2d3f6f5dbe33f62d94a50269a81ef42d9f136f108c7ece1f23b6491685ab8b1eb086e274ebb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\f0587afd-c52e-4911-82ec-fbe463599001

MD5 a00541b3969ff72af3b89bbe2c738d7a
SHA1 71d88b4ceb6c7ec261606fee7a06bf7b86669a42
SHA256 2e033b55d32f29da70d5f2e756a028098c7d8d1c90e7843325e8c282f16c82ae
SHA512 616d0aed7b87f848e810884d4689b1216a7be36fb0f0d44ae99685009f4e9169f3d314d957f44b564fbd12b3598cd75891b426c6cc10ff9fe7ef4ceaf0461b83

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 468656f9c538fc459ad4772b7f6ebcf6
SHA1 98d32d8226a3e90152e26bf997d5405546b1a4c8
SHA256 04ec27e4970a1f3a7272e76ffd1c0b52902e75044c88d50afd59b55746635dec
SHA512 2f2130c01573fa513886733ea889d248145550b036b8e87122c64897b3f06f0b259631c35f950887e68790ae8d321876c561d172e73796161820ef326227d8f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 db4e8c09cd6092bb554addd0b6cb8071
SHA1 3fbcabacabfbdfcee82726a4ed21d34f431a7154
SHA256 7e15f191643a2170a8b599e1e3bd704de886dfb823a6ff1a8e83bcc36e25beb2
SHA512 aa01b31dd3b32241e4a85ab478de5ec8239ab510c1408a650dfc16b979a716033a87b0c7ebcc569ff27c2231d42110c34ece6619cf7f1337070f6d2db220c8ed

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\activity-stream.discovery_stream.json

MD5 b1578f8aad952fa4cf8dd9d47c67d9af
SHA1 56c7bb3d0e42f1e9eed17be29c15b9a8980b4a5f
SHA256 f300fe5aec674c76e1b60cc1bbdb6f2383cf77a8fb0950660e0de83085f2eb45
SHA512 fd84f7e29a26d5a589053df26a0c9c2b3a01833e62b40ac849d35470aa02b39edc1c3b820abd1e2c4877f966027ba4400cc818c4de8bf529afb13726b4ed7417

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

MD5 c97d718fc56d6db01f573153bbd9f7df
SHA1 8201040be8f49df1820b3cd40fb4b5c99ded0bc8
SHA256 e5b66e72295d4e1fd0bffdb2a6a5e431fc9a5454a7ab2326523233bafe62430e
SHA512 1ac0f7752ec6060b0547303dc69eca2b0b07a050bda0994b5ff07b6013eec504763ccdf71fee291a4189acca8d61d88f72ea5e812d2698dcb21adc4b8656d1ad

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

MD5 28c9269fa9ef055e916835e1ad9ba8f7
SHA1 5168ca2c334a081f5c24d17e12fe33278ff5c75d
SHA256 e15f6205157ce27e2c0bdc1a56bec4af856107ad64c1b2dbf1f1d17b891ce1d1
SHA512 95cf4a86d30d1b0e25b242d37d27ebe963821b8d47e29c0b913497640565c4cfa524de299265955d003cc39b6d01ca2b4c7bce7639fde786891717b34fedf101

memory/1476-490-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1476-508-0x0000000000360000-0x000000000081F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4

MD5 d0ba38eec8149ee9998a90cd4e6ae2b6
SHA1 e9921909ddb910557357ec6fb8967418cf1229fb
SHA256 63d8faf30669e7d385dbec1a37a71a55f65125628108e62b00570f230e43a615
SHA512 9182cd4a51dd308b59f6830d832de87d19a7664742ee705f53c4f9e735850def59636b44bc54fec8f856d8f2aae2f08d74ccec397a62a883c52255e226a855fe

memory/1476-517-0x0000000000360000-0x000000000081F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

MD5 5a976ec79badac0dec543f55fd235d11
SHA1 b211f7b81c3f8e36e4a5445ade25a0a3e35b327c
SHA256 373855c0c172a31610f85eb3987400fc3c056e0da50f10293d13e00d5c0382c6
SHA512 f906d5eb2fa64db077a8d779533cc847c71a1b27dc9a4788f60816144a45fe230fe415c56a5ba2f94b062bd088fcd218cc16faa0a7e37a6f89006cad7ea5bb0d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js

MD5 53e74ab7549f7d905ce0ae0d8e39b0da
SHA1 39f4f3f9f14abe38013d90e766d5d80d2e6828f6
SHA256 5de41a4433918eb2eff73ba11fd18eef330479ec4b33728b5b6609c655b18c11
SHA512 cdcce3cb48242f2d54c21d9a39595777f9c57adaeeee0e6fbf782e24ca226817002e62d603f2b942a9f0cfc5df7da782e6a3a4484703c07a03736e734f3999cf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4

MD5 655d21f2597c42c2cc6c10a76ac400b8
SHA1 2c707fb77b4dc844b118ff052a0e466de0e272bd
SHA256 6ba3b2e659e0c808bcc0b333cbab796d5a93ae5650bbf8fd20a64c48e688ec1a
SHA512 f0e249e7f28fafa47d4ae97488f95660d3385825d4496a91c41efbafa0f9e45164c66774e5e011ba6359ec4be8b5d9829efac8d8d22fdecc79e4c73b06017761

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js

MD5 68a2b570df1c9507e9f2ca9d793e3987
SHA1 df9e9f2d3714d203f56d4ef73a35e476d55fac65
SHA256 6e397f06f624d77fb1b6ab2c40538e1d8254a640f7378c00cfea1c811030a209
SHA512 de0c17d6e1390403f8f99d225ae56df78f9983bc9e0180a986f67e431cc63bdb767734ec49dfb4563d872cd4fd7351e03681e3851177c621de192cebfd802450

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

MD5 0d01b120ae461d75d6c87fdfbb9d9e04
SHA1 339c5aa4bbb5d6a8c7f9d45fd2fc7b2c75affc30
SHA256 c2992d4494da093fb37d5019ee4315c1a0abaae3176eb5de3e206cf076a159fb
SHA512 b54fbcfc60f4f3797659cd7c1d2e1ff00ff31f05f9a7f6c785e2057ccc47b36f2a77ca16617792687b7b821d134c9cc0d891c5a52726467cfde342aa247a2a88

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244

MD5 b81c1cb20b561da505a5c8bec815d816
SHA1 c77650f89fbe2d9d5316d831313c5829cf62ebdb
SHA256 1568280c9b4a0b316b38ea05d1a645d87879f299daee804a402e21334cc1c29a
SHA512 8ab9728feab9859097322dbf1eb482b66e38f0d21f2c2579c0f0466056e5f730fe09868e1f8690945c8225f02df119dd4f7480232ae9e8c03bf6b5156f3ff95a

memory/1476-625-0x0000000000360000-0x000000000081F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

MD5 e0cb57277877e6dfe723d3d44899c411
SHA1 bd7c74a403cc5a81601a08c59e38f03bca4ead85
SHA256 f97cf4a24e312c58e7208d1afaaa190ee94f1a1c377e8093f8df850f166070bb
SHA512 58317a12ad48567c4c60f00e0cd7824c304e1054c4d0c32311176bcedbba083fbc66b6bcd6d6a002ae60fdbca21434b69f3cd5a4b3ee0b41834687da17d4c6cd

C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

memory/1644-654-0x0000000000360000-0x000000000081F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/1644-667-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1476-673-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1476-676-0x0000000000360000-0x000000000081F000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 18f1f654a6f411f44bff0d22eb085181
SHA1 560e971d9a4f677c393c65967db174691027bf9d
SHA256 072b4ad4cea88d68801205bbbbdb72482be0581927a44f27b1e9c5fe2c84e53c
SHA512 a95b15f2822112d9467cb7690127959c8a8ce03370d85601b0ffd46071bec610da69997973f91ba271dd6e8db4b9aec82ab7fcf3c32a1a379702461545be3836

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 67d7f3b3d0b19ffe958529dbffdb91a4
SHA1 d3a9df4502e0e4fec07a133fa52dc9b0b78d5e64
SHA256 328e9672922d4b91a3e063a4c7c38cc2947afb879abe3aeaa89573fcf3b07cbb
SHA512 6c748f1da0668debac369f0efeb5613f873952a1ae143287e06d5d06985f62494ca0df1db4ba47a685cc7f09cf03605b1f521276775008a257b47e4ce00b3d4b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

MD5 36e5ee071a6f2f03c5d3889de80b0f0d
SHA1 cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA256 6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA512 99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

memory/1476-828-0x0000000000360000-0x000000000081F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 f25a905dbb1aebe39ea64b8a40c64ce7
SHA1 d835e9440d11aa1f767849ee13ae90c88b1f56e1
SHA256 c461b29a7273aba5e0a0d9a45324430e2a6bc5730541f13bd7da211f83b75751
SHA512 ba04dbc152e32f5868ab33b3b9fc9704687d371fd77b819b2be229479964434ca497d21c4b86c8ede1a2b842bbd43c1678a3bf3e9a0753895d2a2c1dc093aa49

memory/1476-1314-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1476-1441-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1476-1998-0x0000000000360000-0x000000000081F000-memory.dmp

memory/668-2318-0x0000000000360000-0x000000000081F000-memory.dmp

memory/668-2319-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1476-2619-0x0000000000360000-0x000000000081F000-memory.dmp

memory/1476-2783-0x0000000000360000-0x000000000081F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 22:10

Reported

2024-09-11 22:13

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\ff7f5d0903.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\26935f8e78.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\26935f8e78.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\ff7f5d0903.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\26935f8e78.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\ff7f5d0903.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\ff7f5d0903.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\26935f8e78.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\26935f8e78.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\26935f8e78.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\ff7f5d0903.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\26935f8e78.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\ff7f5d0903.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\ff7f5d0903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\26935f8e78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\26935f8e78.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4244 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4244 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4244 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4432 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\ff7f5d0903.exe
PID 4432 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\ff7f5d0903.exe
PID 4432 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\ff7f5d0903.exe
PID 4432 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\26935f8e78.exe
PID 4432 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\26935f8e78.exe
PID 4432 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\26935f8e78.exe
PID 4432 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 1620 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 1620 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 1620 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 2368 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 2368 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 4852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 4852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 4852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 4852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 4852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 4852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 4852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 4852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 4852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 4852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2368 wrote to memory of 4852 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4128 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4308 wrote to memory of 4128 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4852 wrote to memory of 1744 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe

"C:\Users\Admin\AppData\Local\Temp\e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Roaming\1000026000\ff7f5d0903.exe

"C:\Users\Admin\AppData\Roaming\1000026000\ff7f5d0903.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\26935f8e78.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\26935f8e78.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ceb39f7-1732-4ac8-8f96-2813435f4cff} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab87b7d2-29b0-465b-934b-11ae93f19810} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff42d746f8,0x7fff42d74708,0x7fff42d74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff42d746f8,0x7fff42d74708,0x7fff42d74718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 1 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f694fce4-00bb-41d8-b497-880c5235d416} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3344 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3732 -prefsLen 22631 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8fbf1c1-e474-47e4-b95f-028134e224bd} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4400 -childID 3 -isForBrowser -prefsHandle 4392 -prefMapHandle 4388 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebcacdd3-3d8c-40e0-9d1d-934f7bc33c2e} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5004 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4872 -prefMapHandle 4968 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68ef5450-0705-4684-afa6-85a661f11fff} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,9305568260227832905,12381671371592165643,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,9305568260227832905,12381671371592165643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,9305568260227832905,12381671371592165643,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,7951260034246629184,14094744811415041104,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1952 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,7951260034246629184,14094744811415041104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9305568260227832905,12381671371592165643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9305568260227832905,12381671371592165643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9305568260227832905,12381671371592165643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9305568260227832905,12381671371592165643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 4 -isForBrowser -prefsHandle 5360 -prefMapHandle 5636 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea49fbd1-606a-4773-8c20-5ceda90c39f5} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5956 -childID 5 -isForBrowser -prefsHandle 5876 -prefMapHandle 5880 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92cafb57-dae4-414d-8c6b-e80e53a9bc4e} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6076 -childID 6 -isForBrowser -prefsHandle 6084 -prefMapHandle 6088 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ea12f19-0d86-448c-8668-c2b13eb6fc89} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" tab

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,9305568260227832905,12381671371592165643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,9305568260227832905,12381671371592165643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9305568260227832905,12381671371592165643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9305568260227832905,12381671371592165643,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9305568260227832905,12381671371592165643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9305568260227832905,12381671371592165643,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 209.100.149.34.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 143.180.12.52.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
GB 142.250.200.14:443 www.youtube.com tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 191.144.160.34.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:64716 tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.187.238:443 www3.l.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.4:443 www.google.com udp
N/A 224.0.0.251:5353 udp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
N/A 127.0.0.1:64725 tcp
GB 142.250.179.238:443 www.youtube.com udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 73.121.18.2.in-addr.arpa udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp

Files

memory/4244-0-0x0000000000C40000-0x00000000010FF000-memory.dmp

memory/4244-1-0x00000000779F4000-0x00000000779F6000-memory.dmp

memory/4244-2-0x0000000000C41000-0x0000000000C6F000-memory.dmp

memory/4244-3-0x0000000000C40000-0x00000000010FF000-memory.dmp

memory/4244-4-0x0000000000C40000-0x00000000010FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 7f8b4777a6921d7fe085191955d8f9e8
SHA1 0157193e769423cc5073c6e0f48b2cd879c06497
SHA256 e72c30dd2fef80237f6eee270269656dc0e2a525ae38c2df8fc95f77334f9e0d
SHA512 1d9fae6f2289e3b4818d718d45860dbca8bbfd577ef9a082336be43782a280a54bd2ca038753ce19b1ea7cc9e2f56d3b3cd30aeda1a550cd06cddb071cf73964

memory/4244-17-0x0000000000C40000-0x00000000010FF000-memory.dmp

memory/4432-18-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4432-19-0x0000000000F81000-0x0000000000FAF000-memory.dmp

memory/4432-20-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4432-21-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4432-22-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4432-24-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4168-25-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4168-26-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4168-29-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4168-28-0x0000000000F81000-0x0000000000FAF000-memory.dmp

memory/4432-30-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4432-31-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4432-32-0x0000000000F80000-0x000000000143F000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\ff7f5d0903.exe

MD5 50d7b4ddde987f738f29064556b31177
SHA1 8665b718cf44194c50d2eed8981b8e643debb98b
SHA256 0c38ce400b5a99c4d0350fc0e3a5c8f7bb366d73ba850ead3bd63dcc709941c8
SHA512 4cd03621fea07ca785792fae5fd4ac36281ab0718c1db0c4b6d0bd63a57ff1bf45ce5852b6c84782f2eb153fb7c5acde8096fe407dd5acf454bf0b9aad0a21f5

memory/4776-48-0x0000000000E70000-0x00000000014C7000-memory.dmp

memory/5060-64-0x0000000000B30000-0x0000000001187000-memory.dmp

memory/4776-66-0x0000000000E70000-0x00000000014C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/4308-74-0x0000000004CA0000-0x0000000004CD6000-memory.dmp

memory/4308-75-0x0000000005370000-0x0000000005998000-memory.dmp

memory/4308-76-0x00000000059E0000-0x0000000005A02000-memory.dmp

memory/4308-77-0x0000000005B80000-0x0000000005BE6000-memory.dmp

memory/4308-78-0x0000000005BF0000-0x0000000005C56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v4get4bw.k0k.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4308-88-0x0000000005EB0000-0x0000000006204000-memory.dmp

memory/4308-89-0x0000000006250000-0x000000000626E000-memory.dmp

memory/4308-90-0x0000000006290000-0x00000000062DC000-memory.dmp

memory/4432-91-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4308-93-0x0000000007550000-0x00000000075E6000-memory.dmp

memory/4308-94-0x0000000006790000-0x00000000067AA000-memory.dmp

memory/4308-95-0x0000000006820000-0x0000000006842000-memory.dmp

memory/4308-96-0x0000000007BA0000-0x0000000008144000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 27304926d60324abe74d7a4b571c35ea
SHA1 78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA256 7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512 f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 149de576d27953c43ca7b34cb1b8dabe
SHA1 392dd0d867ff9d6a3a2984d3c3d5815af97c2b1d
SHA256 06379c09bfa41ff881631740e808e374d5fce9da2a1bb6364505829967e560ab
SHA512 057bef13ca104fa72cd4f07c3aa3753fe9f1f600c58cc6b63b6c53dee7392bc328ff3678b74a7f2fa42774322bd826ad7126e9fae8e23c69e158de3d4a573fde

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\6cc9b93f-8bf8-48a3-90a8-bb09cae4c7e4

MD5 414d7def5d3f42478b23b29218b83d08
SHA1 be93ef5b5ab835e20d5c3547df7ee8d5492c8e75
SHA256 78bdef2c7885d054774412a757eb503d2c9bbe4e26ed92307a612bb1f8611422
SHA512 0292ad2c7cd9ba95bc0d3c3682096e4ebf81ce321eac5cf40ca3cd2b97514e3ad24b6c35d3cdabb88ea3204f9245825fc48225670b36b242256633e030710dc8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\393b9c67-d6ea-4f77-91f3-ce8d4233490f

MD5 93782fa5269d8146c8825fe0674ad602
SHA1 c517e6cff121deb49af64f39c0d829c5abf58dac
SHA256 1e836e05b2c7c9e07a31265a391121844234b70d410c20483e970555558c4dbc
SHA512 592310628ad42bb7958d696f259ce6ec6948dd85cdc724b485f48cc6720863dcfc2044d95ab367224363443daf5007599f8bcfaad212db39e1599e147bf3c634

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\ebb5263f-aa09-45cb-9098-9defd2ec6c44

MD5 680a3837b6e3d9d1b34f5adf55a52453
SHA1 e303a35cbcfc7a0f5ba6ed11dd6e219fb2ccb864
SHA256 2f8e7497bb6ff9a833172988975b1b55b0d2b57bbff6509174cac0f457e267b9
SHA512 a74aa908a7cd98a243c3824b6f3f957cdb42f6b40daff492a33a17076f26921143fe148a390a0fd0f9b5f13a4fedac39236264a38b1f75074181c044dd17bb4b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 46b4376f639a8065efe838092c254e65
SHA1 9988d871d2233091a3a14a35cb166c4bce35f548
SHA256 9222cdb1d718412c13a7206e84126fbb3d004d706c37ee62bb2c0ece70b4ca23
SHA512 a7d5f8646e54c3f992618039d8eaaec7582bb6354b0069037c21ff7ac71e71b2b47af6afd7d0584f7e1a2a051636bac17536eeda5044f2d3f0354898d414cd2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9e3fc58a8fb86c93d19e1500b873ef6f
SHA1 c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256 828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512 e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

\??\pipe\LOCAL\crashpad_2704_HVJUTPYRNCFDZHCM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 72cae1f6cb939acf3bc11c7155214f5a
SHA1 1dec0695b318fc4bf43ad1aabe27608753fffc0d
SHA256 dc36ba14de055a4cbae63b54c156184753455cb26e5672bdde85c88d701a4b61
SHA512 3f3e0b8290b706536d7cb9d06281baf79690d5785e8f3be5b2f6af3bcea9df62a10b267c1e287dc75c5033783fdc740a5d002fc058225d36ef26fe7a15a16194

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9518e437001e95819eeac6acea59a95b
SHA1 386b87199d173f83e4022dce0fb264bb8b545167
SHA256 f076fb159850579e509d01d4be2193041b1d64e37720cb2913218ab798696cd8
SHA512 1a07f33cfd3a8c0f4682a82d5af9ec59001e848408ca8832a3f97026af3e4191075d9372c44ac24a5d2f796f2d2028dcb4b833a615a50aa054af2246bc048ca8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e762ca45eaf3698b3d20ff91538c7a3f
SHA1 1bee221ad0ab1371c278616db2b36ac92153bb1e
SHA256 4eb7f8ef18ceffcddec09be761bed6386200e8c8d76d6ed5b9ec189a22cdb42f
SHA512 aa17d4aa9b4d4806b8d790f889dee319dff4d50c2b5d55301f7cb6a9f5356feada3d9f58e30d5ab58611f6fa8890340f5c982a3ebc28a32fc608cd96570b8a84

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 bf2156310b53bd4aeb8a58dd06fb5ed8
SHA1 2d1b7e397ea054f61d7e3f813020109f4376e730
SHA256 a07cfde624890e1e3a0eecb6333616ac914dd7e2ef37448eeb6a19b367171ba0
SHA512 66ac7ac68a89b9440939bf2297ce7958c9f34824ab07975f0c1bdbc09ec7e26231e3f33916b9688da04e238cb6c0f2f827fb9bc24b1c160d0ed1e1ba6134faa7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

MD5 e3a5e3aac41ae45db7834a32176b4f03
SHA1 920f2f136f511597595d1468e97b48c1f4507e4c
SHA256 8aebc416038c5aab54661776590dff8d9623dd87666cd0bac13105cc86138bed
SHA512 e13128128d08283011ae728f3366d57cd29336e2db455c499afcc09d975babd18dd75d202aaf504eb58657780cc9dcd20c086308ce52e5d359a841f581d3c008

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 fbdcadb7321be89f0f2f6d762dd2d0e7
SHA1 4f3b9204f64a97425903212d04b936d3883e99d8
SHA256 e52bb0487a615b865496ca60d36c33e5a99c5c1517ed9a084aef317bdaec957e
SHA512 6bfa93148490cfc36828c09873ca1ba439d3966fe0948991b341c12ea25e1c973a975d223e237c8bb72ae14ffe77374cc03869624fd340feaaa81b6f4a2beb23

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

MD5 d4f3bc24abc1762547a5148a32eb6633
SHA1 761b787a0254865d3731572ba34886dd4de8adf2
SHA256 69bbea0d548d5641f679c2ecf0e53665b31b4fe4f2cc1c7d2dec453d0d2f8a64
SHA512 256a14a7efff045d701a65503ceff873ec9ad71d736bd8690ada7692e00f31d1198d34dd1804fcf9cc6cc79b498af2c7fd7db2d573a3afbb8c9ccd79adb9f4cc

memory/5060-503-0x0000000000B30000-0x0000000001187000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 e77712d31098d44f68e286902e81d4ca
SHA1 af050122b89eb9affda95a9d11734d67a2400287
SHA256 39383a9ecc29cda2ce704d90da5d4d16f7a6f7443f419223a8c488f0f466ed82
SHA512 f1b5abd60839541db0e01462031ce8047540d1bc0b6def6f10a6afc5330eb05249b760dced974806a41a1dcbb214c308e14f5da1714987daa382a9535a224357

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 3c6f758b5a1c2bcbf620430e3e0ac132
SHA1 4a16c8474f4209d8492ae58b91c227c5c37ae200
SHA256 7bfa20e89227a93d2d1f716b86eca48ecf663a5cbab5950289c969efa2055825
SHA512 d9843e22ba447b6d629059715d2e15fbe85d6662addc01a14f82e814ec93022761459119da4aa008b126def5c757f901f78597b2ea16dff3c3d474b2bc207f40

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 1dfb0bdccb4493ea1d478dfc9a71c357
SHA1 8058fd1afeb19a9da2a546c52888fd3305df3b58
SHA256 b7e3e770bbe9c5ceb2ae111fc2c8e8c22fde3c57633477b361bd05981c7a2e41
SHA512 416ec69957515b202ba41ea1833d8e7f41a9467bc27bf4d352c1108d4c5638cb0dbdd4c608fbefa2fe2567b6405075b8e96a0b7422f63dd3b5e1db6a5a00a9e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4432-651-0x0000000000F80000-0x000000000143F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2bebb74aee42885947d91ee5ce111ce1
SHA1 3b2d78be80ad7156c3f2cfe00acb452c88f00232
SHA256 185a7f7d79be679929ce405391715914fb0e60dec775ecb5f8c6d9a0760c2743
SHA512 e13f93c8056d435f23e179596893121541ac83bdf3fc687942722b3a911aadb0e2955f025906e1add2ce0c8b645cbb2f8a1f425d2d15782f6db8b8ff68e8e11f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 001ffeece8d52a5e6ad48276b0f20a9d
SHA1 6686e5a9b9e665c6f9fbea8722415c5e34c840c7
SHA256 7d41ba67e5c06c0d4a5d88e944b881199b4778c01f622eff24600eeef49c73eb
SHA512 793fc9999c4309e5afaebc13d6269cabe02fadf9cd161d7fb150b62ad9618740f4594e6d386472e42ac3be83cdaa09a7f112211f173fedf871ea7a0c29555a62

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\sessionstore-backups\recovery.baklz4

MD5 4b43c1286b477638137530f9ed8bd1f7
SHA1 a51be2e6b9820b5276a8f9de3f3157bded783f7d
SHA256 2281e62a54a2a272ffaff127be9d7cccbcb74bf01bd2e1c92203aa5fb484e076
SHA512 3d5412a27af7177513f56f3235b8765fc8d1a084a9747d436458a06bd14848a634e14cfe44ef81897da9751482416137e12e5f45b1b9898a361b5ddf77e24717

memory/4432-703-0x0000000000F80000-0x000000000143F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

MD5 8c7205e5dc66a034471bc5ebf20e66c2
SHA1 2edfcb6858dd379939aafd21980ac1475bb24693
SHA256 a66da394ab00af74ecad56e8736eb35d43d60ce916e8399bc56c090e6739aa7b
SHA512 1cd558adb03d32ba5dd60448f7ebdbb5e81a3d61d8ff80741dd7265a40c7d01c9f0fbc18d1287a4a895c860075548f7c3cea5655b26865b8af2ec8d1404fc668

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 a85a9e732361b8b519e78990208a97fd
SHA1 9c36ec4369642036c26cf190067adb6dd343fb78
SHA256 db2c959c70752eb27783927077e83a5fcf6e6e02eb9121d2c70186c437af1cf0
SHA512 338ea0922979d56de500ae3fb11425ebaed91782da71905adb18ec7248f9acb5680d6cb3b87a268ae9cd8d8c2e28cba47824d495ad5544dc5b2aecb3d585ce1f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 656780032115cd1886752978bb1a1e5f
SHA1 83a0c96a03cb569452646f9729e06905042df0db
SHA256 8a0fa96e069fa3c4f26a3d7c657d959b50089b3afed4748f0368f957d00983e7
SHA512 cede569055c0c895ce770677a892b6c84deff7aa0678ce5e3a38b86dfdaff5d10f7f873e7b2d7bdf9d6fc77da7bf399b7b4114fd15eaf78428dd8f7c85601a70

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1801021d1b9ee46784883019d988a4af
SHA1 e890074a6427ed781d2b560226ef8b02e4199097
SHA256 e020a7a468f1914d2d92bb6508241829f31a28a78b774539562c6fa35a506db8
SHA512 9e95193cf94128c90b829e9e2637b4d66c89d14fcb5fa11e87f4dbb1ea8abece84c4c042c2edf67266c29e31ab038a9ba8ca280e866a8a0dd1e1fbd360be68be

memory/4432-758-0x0000000000F80000-0x000000000143F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\sessionstore-backups\recovery.baklz4

MD5 15f8f13547ab87d172e5cabdc1171566
SHA1 0c844b9f167d3ffa78d5ac860041b7e7ea3781fd
SHA256 fa23ed7c0435e084235eee940e780d09ce74327729e6da979319c16da1208ef4
SHA512 3c3029cb6dd370b373d0fff91d1c5c8cf0cddb18179553d220b74b05b51b3221ba56f241d3303494d8d4f0858e2997a5451ba9fdb1415f949a3463fa9a644fec

memory/5304-813-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/5304-817-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4432-820-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4432-823-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4432-836-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4432-841-0x0000000000F80000-0x000000000143F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 1a68848218765072243bec47724a3e42
SHA1 cbe2890728a2299d4403a51128c6f9d880517064
SHA256 609f2431148a9da111843c10d8c4e4004dc91f708c7198466e46a4b31b1ac104
SHA512 5c92c777b233e638f17b8be229f4b59b6d811b2400d4f3ee1f5ccfcc56c923893e23921fd17c4c432e24cadce3f5a2fc494eb4eb102adc7363bf09f0880f33da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7a084e265b8e81c6515d85b62b897afa
SHA1 443d50968ca94acdc32fc161b47d98e22fe684f6
SHA256 70d5ce496c634673653d6190f08aea607b665e198e5991c7006a55ebf18c0fbf
SHA512 e78a55ffe7ab608f91fdc7e8cb5495688499646682d0b7d5e30e299b146957e280f9e974f84a3a238e20e8f7d192a070542c317fbf59bdf89e620a80cc4f2e9d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59306d.TMP

MD5 99d5fffe4671db326a3991156c51f5f1
SHA1 4532db51f8b10aae6fc1571b17405e4658ef7e01
SHA256 11548231df78e09a60b0fec4f76464d2e4bda32a1c0837aa81cd642317211fa0
SHA512 ef443ea07ec648ebeeda90d259d75a83a9f096257de9b2ec44d8d0d2dbaabf3d42c9dd8189e2d114ddcb01b4fc1bb7dccb52581df7a7d1f4065af4ef903a80b5

memory/4432-876-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4432-877-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/6188-879-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4432-880-0x0000000000F80000-0x000000000143F000-memory.dmp

memory/4432-881-0x0000000000F80000-0x000000000143F000-memory.dmp