Malware Analysis Report

2024-10-19 09:08

Sample ID 240911-2l4rtaxbmr
Target 81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3
SHA256 81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3
Tags
amadey stealc c7817d rave discovery evasion execution persistence stealer trojan credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3

Threat Level: Known bad

The file 81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave discovery evasion execution persistence stealer trojan credential_access

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 22:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 22:41

Reported

2024-09-11 22:43

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\8aaeef7988.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\8aaeef7988.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\8aaeef7988.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\8aaeef7988.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8aaeef7988.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\8aaeef7988.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\8aaeef7988.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\8aaeef7988.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\8aaeef7988.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4656 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4656 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4932 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe
PID 4932 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe
PID 4932 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe
PID 4932 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\8aaeef7988.exe
PID 4932 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\8aaeef7988.exe
PID 4932 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\8aaeef7988.exe
PID 4932 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 216 wrote to memory of 3224 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 3224 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 3224 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 1576 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 1576 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 1576 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 2528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 216 wrote to memory of 2528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 216 wrote to memory of 1584 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 216 wrote to memory of 1584 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2528 wrote to memory of 2604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2528 wrote to memory of 2604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2528 wrote to memory of 2604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2528 wrote to memory of 2604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2528 wrote to memory of 2604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2528 wrote to memory of 2604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2528 wrote to memory of 2604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2528 wrote to memory of 2604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2528 wrote to memory of 2604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2528 wrote to memory of 2604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2528 wrote to memory of 2604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2604 wrote to memory of 1972 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe

"C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe

"C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\8aaeef7988.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\8aaeef7988.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d01e9e7-e0be-47bb-85ef-3acef40e1c98} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2959f11b-3ed7-4455-a44b-8d64f794b2b1} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8726f46f8,0x7ff8726f4708,0x7ff8726f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8726f46f8,0x7ff8726f4708,0x7ff8726f4718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 1 -isForBrowser -prefsHandle 3176 -prefMapHandle 3160 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9290bdd-9333-40fa-8d1c-3c2d55dffb7a} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -childID 2 -isForBrowser -prefsHandle 3084 -prefMapHandle 3048 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d770a4b6-7ddc-4b66-9ccf-00fc82eeb8fd} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4188 -childID 3 -isForBrowser -prefsHandle 4192 -prefMapHandle 3128 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f73db00-3888-4fa8-8351-d6ad160fcddb} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4836 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4696 -prefMapHandle 4804 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8b28d48-fe88-4b20-a3d3-4c467e80da7e} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,5752002928004852318,8336530240661705459,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,5752002928004852318,8336530240661705459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5972 -childID 4 -isForBrowser -prefsHandle 5952 -prefMapHandle 5960 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59cf6d55-c367-4091-8cf1-d8f67d3535c8} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6080 -childID 5 -isForBrowser -prefsHandle 6088 -prefMapHandle 6092 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e09920e-599e-40e8-abe7-6d7761e8895e} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6280 -childID 6 -isForBrowser -prefsHandle 6288 -prefMapHandle 6292 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a76efabf-e0fb-4b28-9d49-03e57f5e7344} 2604 "\\.\pipe\gecko-crash-server-pipe.2604" tab

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,12562137685350450046,17814964563467477391,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4900 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 8.8.8.8:53 213.24.239.44.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
N/A 127.0.0.1:55683 tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.206:443 play.google.com udp
N/A 127.0.0.1:55691 tcp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.212.206:443 youtube-ui.l.google.com tcp
GB 216.58.212.206:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.212.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.243:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 243.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.212.206:443 youtube-ui.l.google.com udp
GB 216.58.212.206:443 youtube-ui.l.google.com tcp
GB 216.58.212.206:443 youtube-ui.l.google.com tcp
GB 216.58.212.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/4656-0-0x0000000000020000-0x00000000004CC000-memory.dmp

memory/4656-1-0x0000000077554000-0x0000000077556000-memory.dmp

memory/4656-2-0x0000000000021000-0x000000000004F000-memory.dmp

memory/4656-3-0x0000000000020000-0x00000000004CC000-memory.dmp

memory/4656-4-0x0000000000020000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 8a6d5c4cf637fca72f9848f455fe0a9b
SHA1 471adfe441a7e1a9ec6448b8751ec0540a44567d
SHA256 81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3
SHA512 465969676d8c89b7d01599fddba9f4975bad4ec21a5e040b6f4b0c0f532156c69736bea609195b824bb8b05f5cc3272060cf7517878ca0061bb7a53c12ab223c

memory/4932-18-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/4656-17-0x0000000000020000-0x00000000004CC000-memory.dmp

memory/4932-19-0x00000000005E1000-0x000000000060F000-memory.dmp

memory/4932-20-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/4932-21-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/4932-22-0x00000000005E0000-0x0000000000A8C000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe

MD5 50d7b4ddde987f738f29064556b31177
SHA1 8665b718cf44194c50d2eed8981b8e643debb98b
SHA256 0c38ce400b5a99c4d0350fc0e3a5c8f7bb366d73ba850ead3bd63dcc709941c8
SHA512 4cd03621fea07ca785792fae5fd4ac36281ab0718c1db0c4b6d0bd63a57ff1bf45ce5852b6c84782f2eb153fb7c5acde8096fe407dd5acf454bf0b9aad0a21f5

memory/4932-37-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/1588-39-0x0000000000D60000-0x00000000013B7000-memory.dmp

memory/4932-54-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/1648-55-0x0000000000400000-0x0000000000A57000-memory.dmp

memory/1588-59-0x0000000000D60000-0x00000000013B7000-memory.dmp

memory/1588-58-0x0000000000D61000-0x0000000000D75000-memory.dmp

memory/4932-57-0x00000000005E0000-0x0000000000A8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/1588-61-0x0000000000D60000-0x00000000013B7000-memory.dmp

memory/4932-69-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/1648-71-0x0000000000400000-0x0000000000A57000-memory.dmp

memory/216-72-0x0000000004600000-0x0000000004636000-memory.dmp

memory/216-73-0x0000000004C70000-0x0000000005298000-memory.dmp

memory/216-74-0x0000000004C10000-0x0000000004C32000-memory.dmp

memory/216-75-0x0000000005510000-0x0000000005576000-memory.dmp

memory/216-76-0x0000000005580000-0x00000000055E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0qfbzd0n.k4j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/216-86-0x00000000055F0000-0x0000000005944000-memory.dmp

memory/216-87-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

memory/216-88-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

memory/216-90-0x0000000006BB0000-0x0000000006C46000-memory.dmp

memory/216-91-0x0000000006110000-0x000000000612A000-memory.dmp

memory/216-92-0x0000000006170000-0x0000000006192000-memory.dmp

memory/216-93-0x0000000007270000-0x0000000007814000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 719923124ee00fb57378e0ebcbe894f7
SHA1 cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256 aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512 a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\2764a2b9-c5d4-4a1a-80aa-756be8014492

MD5 da4779b4fca4990145a6f9083b5212d0
SHA1 67d2681a36fa5aa4ccc57da0a41e01950fc9513c
SHA256 723ca69c19528bdbf9d1dae496e5428c8b0d4cc143748dd0371b76f897ba899c
SHA512 87a3fe8175abe70549d6d630a5f5a8e4fb988e36ae6c4dd77f18286000f15b0310b5e9c548a75a059a622c20b86120678559043c8d35b41179fe6c993b5256b1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\f3204e13-b242-4a41-8714-b962ec242806

MD5 ebf33f6fa48cabfa7acddb53f92afc47
SHA1 8eac384a79fc556c8b0666478c4f17e6f5972fd8
SHA256 bc416f33618de96027fab7f5a7e82ea204521cb3f6b254328813e668cf87577e
SHA512 a4df77fd0001652d00afe3183e6fb995bc79c3eb7027709778ee953d369bef2e06898693624df2c2fbc245e45a77bbfd7c6794345000bedca9433181eb6c98a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\08a41696-6a05-4e49-9086-c655ec8744f3

MD5 fa85919928d249673c813a1fe424863e
SHA1 276583c8558e5f63a9386345aea90802e0b60ac6
SHA256 77d8847367afe4dd210085dfa342d4d19dafb08cb4c94c4dbcc0d3485bf7407e
SHA512 cabc9b87c4b060ac53b48c1cf746947067cae8c0286473fde662074c5cba76bba0923223df71bf2c946edd8b2a73cf30f0ce666c908ee912101ec669406e01c7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 332c62f3c342765318d3e6cf997baac2
SHA1 379b9ae998646059a176ad41e79776bbba874840
SHA256 3dd913d79186ea8a7c1f087d84d7f4c9c453a824731863c60dd9abcd6c21888e
SHA512 47fc0e4c7277931377ffe1441dd89e4f6a7fe0a82e5ac267b5cc90005cca6a94221b61998b8a947d00472482beafbc2946a73c21361a7e6f385cd2fa70a656a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d7114a6cd851f9bf56cf771c37d664a2
SHA1 769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256 d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA512 33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

\??\pipe\LOCAL\crashpad_4964_YLDRIKTARXAXWSCK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 e32d2ee88942be61cde45c8fed4c9176
SHA1 280de215aa93c959d5dceb478a51bfbc862deeff
SHA256 8f42248a065baa1559fc80e1147027482f369a423b111acdd77d36a03fddad61
SHA512 2787b747d99450d2761f5f88175d6192de6f7424d5a3eb4968cfef68b8ea442f9a245546e6a035c376c2240743152b973b5157df1a8940055620e52b330bd98d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 777412b2233d2f23253bd2322ac98c91
SHA1 4e89cf501d2d05ac60bc26c5c199b7c2b8bf2b57
SHA256 6d3eeb4b42d9f115ecc4ffbb66c90c1bccaefde3ff7c9e4787ece776a3f2aeee
SHA512 6122d0ed2d9a422a336fb433c695d7eefbdcb9a43d97c8f3dbac165f8dcd5fd98069a6a7627b93400708240e9f31d2e889859fc4ab1459dd9549e725bcbd3742

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1aaeabfc836c65278297e73f9865c1a6
SHA1 26b6c988a216f5086836e828605ba656ac23d9df
SHA256 ed56016f4a24b9c541d4de8744cf95ba59f03ed564994913cff16a02bfb13bb0
SHA512 4ac2147f7cedf9c27b5bdf30766a7e796efc5dbbbca28347a734ac5e568c13051254430f151b84527b87d64c1dbdb7b8b7ae1f0229966b0b537ef97bfe7cf79d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 aa8c535b93c4623b8349e7e16b21337d
SHA1 50aa50b6622d4f22b5a73bda23da6c070a866699
SHA256 7a952523054034f4a0dc1e1a05efe0249aeb27f99a3c88222d152ad330cd13ac
SHA512 de5333a43f86b88e327245d66f3ba3607550d8209cfebea8804d2d7be6d4feea84e849bac53d71a1ed4f029dbec7730ba4b9fc9eec6aa9ac0be4713c8199e734

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a189f92d14d5ddb0fd5ca892254188b4
SHA1 4bfaa34f1bf8141b7f135fe837fb38fdd60050f3
SHA256 268e69f8b71019289f38aa11e55094d42d890f84a2ba1c5ae6c17e912a1fa04b
SHA512 a3b1fb9df9d4eb7e612c0c2f523479e0b7eaa3c1eedd82be85172ad59bede077d23cac2c7d90026df0a09d254bb953fa50461c18932200b5df0c7c36629b123b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 107352ad0971f4aae73ce9476af65bc4
SHA1 e1933b1a7234cabf1f59a8f73947f6ff8605c1aa
SHA256 8e8fb8c67c474ad5b403caf9655802826fbf0c576ec2d974071d2882b108ce6c
SHA512 b70d40ddf4f731be6e87dedd222a23d9c9634b299bf0dd9031aa6783efa794f26990d486730176dc85403a7e42329f4df8dee17af4d7156f461f2d8ef739c9a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 d64d5d7aa3f821d60c891005e265e439
SHA1 372f310ff1784578367d856d48a4c6668fa49554
SHA256 89d9c39795f543f7775d3c62ecdcd661573bd5a39d083d6ca04ecb8dfb022d46
SHA512 67ae61d34d952856c4b8c1c523aba76c74e4d35144751b6ee69eed257f5cf1c38768099cf3d25c1e1d4973f96220bf66ffa3bc59deb2dc03a09a96abb25da1dd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

MD5 05a2e5ccffb4fa1d962830889ac9530d
SHA1 aa1b6d4143d35388c7b09a985f4e06e02882f241
SHA256 1bc7cc15613af9773bbd71f0cf56eff584f35bcf9639934f58d758a23d96be53
SHA512 737b39739a866e76dbb337576f73c10db8fb6a421216f461a55f23f6084e42a925dd57f171e074e18ab0e139efb0611d1845499efa9b5445775062e4a63c8f93

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 2541c51baf2b530e6dbe1ff0dbed5c8c
SHA1 4d4edbce38e90916a920e0790e79a923b814075f
SHA256 c0db87d34e810027a6151f985330f8ab30eef851d328b96e9eb14f8290e4323d
SHA512 b996ed7b6091761f4bfada9a7472adf7819eb88d6054e323382d311ec4ec589866dada2ccd40db06682a3ff5a9bb91a0385970f25bdbdc883e0540c5ec663e88

memory/4932-536-0x00000000005E0000-0x0000000000A8C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 510b0a5b5f0100f9598b3a6b226415c7
SHA1 a6396c71f9440a2e6b05050412540d955b7f804f
SHA256 870022371927d28f5eb2b43246ffc7c13d62d9ce82331f9316b03f2b200b6188
SHA512 dd0b4478d0a68c2c054bebe42c96ea6bed1a3f6d64dc68d0e2ea88e69739b0426cf1017b114ea312fc33bd46f8928c040e844879f0d0cdda52c1a6d97ddc272b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7ecfddcbf1279d2dd892fd01553f4039
SHA1 34e21104bd64b1f663b31683acf5db4b6c8556f6
SHA256 bd2d601e60cefa2606a43ee579cb1c209002bc61721b872162ce9dfa054adfe3
SHA512 100c011ea4e6990d8f21a92f5f9eacc53883cda2ee7ee19444ad05dfbce7b62b712532496a92b926c9e1b7e40514ebe8628cd92b092d5b96a4ebd67baceea97a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e20947d1869f13a6e1f00c6e4d5b4504
SHA1 fc017c28f18add941fbe743fe7c7f4f6ad40a139
SHA256 c00b3dcb96635a29e90419c27d7d084c3f4eccbbb94e56aa652f39b05ed7a2c2
SHA512 b27b19edce1712c036b0d5d4a643080f2e1841607c2f2864d88654c85aa20f4335a6791a98d7dd0e7ab3467da064a3d6bd37a46e062dc5bbfa081430af54ac18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/4932-673-0x00000000005E0000-0x0000000000A8C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 4ab21eadc58ebd3d7765703329134025
SHA1 6ddbb9424f11976e4308c1d7d2f3199c512b7f93
SHA256 e946a80adc66500eb7d65351a98d7f70970d7e54afa01e2e778a89f92cc5cb78
SHA512 b34092c927b83a48aa17105c8861cad90eb4599893693103e411922fc08761e3ad4c103ded0f54d56c33e713a20ef319021da1695ea4997c727fd48166838d5b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 5f215f22dc3c477eadebc33b2419f1b7
SHA1 5148296bdf6c6014b1f5960ae5e38a13c7c81e02
SHA256 fd0c53baa53727298dd18dd283d8bdc3481153ebfa59b224d8d63dbecd89a30e
SHA512 491f123c0db374a56d0e4e4c97a5e707679fc3795c4675cee334b8b9a019d662d3824542ed907985db549363737d01357f03e0fc644748fa5531bce09f822bde

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 bd43fd1312fb82a6f014ca3f8076da01
SHA1 37fd2eb3083f780124a088e35da9cf61f0a6d40e
SHA256 f1419f9a092aef511ee1fe24ea4757b7896f5ed50f01563c0bb1dbb15751e50e
SHA512 332c501022ac0868ae582e003a7bb5f1f035aa963900fc0f4ede79e919bcfc7f99ad55f3b1533820e76fb27de793107b09e10e77243d7bd0536a41d6fc817052

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 75a7a5ea0915b65e074de2e7a7f2f5f8
SHA1 2e7beff7a3b2ec3efdb8dffd078bbef5f38b0b60
SHA256 142f6907d95d349f29faebd33d7db51d7638181d43612d20e543103065052fe8
SHA512 c189a45c645cf76743329726b971c6b53af12a648631df4345979bd29166e15755edc4d6969afbdd8a7ad2394d824fbbd67681949e7d795b72ae299394ecea8e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 921f17051ad01d16e68cedc778e2452c
SHA1 a1eae23ecb1e34f620fbf32bcc7ee023f5a176d7
SHA256 7a3bc31dd8956df645c3e865983609b1a5c708da08330f8fae969b58db690c7c
SHA512 f268614e0ebc8573a2d8eff8e42ad01f71a2071b4ca1d5f7ae906eb6414b45f6a0a6f7fe1231f75e02b548ddb093c1145251a13cc99c27718c4b2c74241e5ddb

memory/4932-878-0x00000000005E0000-0x0000000000A8C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e296845665f3d7f547240691d8d747ac
SHA1 91f06e718877e07edac9dbdfa0a04492e457ba77
SHA256 ffdc779714ad0d8925f09a88d8a0cda74ceb0a869420faff3cf1ac37cc170a97
SHA512 0d23c29710719148c11780184276f875d237214161e19dd8ce81da4df4d588a74c0dce594293ef70c553a1b498482a4d4c0db4f1ed515e876165dd2300623ad1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 cba3409fdfdbf9e9186ff367c69bfc0b
SHA1 5c7d1be1eeec4f75bf085e0fefff80838fc97b67
SHA256 74bfd383f83b6c669132904be8caa6240317f4314dc46a8514ab6d91033bac17
SHA512 e44ec674b7cce047c93ff6cbb1e9af60a58200536c95a47b0acae29c1330abfa86e07fe67848f21ed1beede8d149a1936ddd2474753b8d3165098a9ebd8aa43d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

MD5 b37564ec53b4a8e941b6e6d8d688d9d6
SHA1 d893fa34bbf9e4905722eeb46288e0fb9ebc1a73
SHA256 ce685a9b960fe2c049ca571363e3c747fd8236ebc4adc9024be6dfbc61e9bd9b
SHA512 c7351610f90cff9d8bc76e38da0f9d618699c4fb2766ae17f623cd834223bccc1fcb5bc9e2313ad5f5b05f5a19c6f8b140815a787fc79f2011a968baebff7bdb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 6798288029007948f2e888de4b5c6382
SHA1 828bbdde45485e3b92f0560235bc065a24c84387
SHA256 0f0796d68cc14b34f7fd7c291d2d7ce90aef8747b44b7f9719974635718e7817
SHA512 0f328b19e6976b44cfaedb716c1c42cb71375ae32ae16d2cc186c277b71772aacfe98e812ec04d81f4f706523f792a9bc759f10e8bdfd164fcdd8d63dfeba6b5

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/6304-1236-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/6304-1262-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/4932-1292-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/4932-1776-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/4932-2388-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/4932-2920-0x00000000005E0000-0x0000000000A8C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 8e48148d4235e204f44b07e1f2e0ceb5
SHA1 eeb4bf051279e7a5ac8793aa67398a6294facd13
SHA256 1ef25c779b2d66a4f256ddf51f90a8d0092b6fde452f6df8555cd88c76e1ebd9
SHA512 c58181181168c2f9b53a53c90490e8eba7cb106d0837e343ccffd6f7325ba4ab4187c9e4f34b4e0ff73fb76ba563073c54dcaf75cd410f89c445afc29aed5517

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 fd18e20e5c8b2410d8bcc8979205c075
SHA1 0c9942dc0b5095280de7eee5725ffeaab55dd04c
SHA256 5d6fa437d353037ec996160b1d92fad76fb2ea28fb8e629c89720a413f1d770e
SHA512 938f6b3416d3d18d72f2b5294301bbb5f9be7de77000a77016e5280edfe1655259c32416d1f5d12ba5f4f9c8ed7290a2590533be0360f5e13aedd90eafc44604

memory/4932-3043-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/4932-3046-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/6716-3049-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/4932-3050-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/4932-3051-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/4932-3052-0x00000000005E0000-0x0000000000A8C000-memory.dmp

memory/4932-3064-0x00000000005E0000-0x0000000000A8C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 22:41

Reported

2024-09-11 22:43

Platform

win11-20240802-en

Max time kernel

142s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\f932e8b3e5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\f932e8b3e5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\f932e8b3e5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\f932e8b3e5.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\f932e8b3e5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\f932e8b3e5.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\f932e8b3e5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 5020 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 5020 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3404 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe
PID 3404 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe
PID 3404 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe
PID 3404 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\f932e8b3e5.exe
PID 3404 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\f932e8b3e5.exe
PID 3404 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\f932e8b3e5.exe
PID 3404 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3404 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3404 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 200 wrote to memory of 3772 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 200 wrote to memory of 3772 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 200 wrote to memory of 3772 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 200 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 200 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 200 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 200 wrote to memory of 3708 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 200 wrote to memory of 3708 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3708 wrote to memory of 3496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3708 wrote to memory of 3496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3708 wrote to memory of 3496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3708 wrote to memory of 3496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3708 wrote to memory of 3496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3708 wrote to memory of 3496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3708 wrote to memory of 3496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3708 wrote to memory of 3496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3708 wrote to memory of 3496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3708 wrote to memory of 3496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3708 wrote to memory of 3496 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 200 wrote to memory of 3664 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 200 wrote to memory of 3664 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3664 wrote to memory of 3768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3496 wrote to memory of 4708 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe

"C:\Users\Admin\AppData\Local\Temp\81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe

"C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\f932e8b3e5.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\f932e8b3e5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1928 -parentBuildID 20240401114208 -prefsHandle 1844 -prefMapHandle 1388 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53fae060-91c8-4140-99b8-c5c21200f7da} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3174231d-63df-4eae-9c9e-55d7d4e24ae0} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3392 -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3376 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ae12f0c-83a5-428d-8f93-97491cf70f0a} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3544 -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3536 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb5246e9-5569-4ed1-b730-3e6c8dc68fc2} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4340 -childID 3 -isForBrowser -prefsHandle 4324 -prefMapHandle 4320 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {083656fa-a752-4304-affd-7ba78c029d89} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5136 -prefMapHandle 5124 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac4e2083-f407-455d-9f4d-d04df5420bbd} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 4 -isForBrowser -prefsHandle 5692 -prefMapHandle 5864 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f494c07-e705-4486-bb56-4fcfbe5e5731} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6012 -childID 5 -isForBrowser -prefsHandle 6020 -prefMapHandle 6024 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15928e48-b075-4fe8-983c-e557cfb43d0d} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6308 -childID 6 -isForBrowser -prefsHandle 6300 -prefMapHandle 6296 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52242fdd-7b2d-46eb-9f3b-e404e19e7e68} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.212.238:443 youtube-ui.l.google.com tcp
GB 216.58.212.238:443 youtube-ui.l.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.212.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.187.238:443 accounts.youtube.com tcp
GB 142.250.178.4:443 www.google.com udp
RU 185.215.113.103:80 185.215.113.103 tcp
GB 142.250.187.238:443 accounts.youtube.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 142.250.178.4:443 www.google.com udp
N/A 127.0.0.1:49858 tcp
N/A 127.0.0.1:49866 tcp
GB 216.58.212.206:443 play.google.com udp
GB 88.221.134.243:80 ciscobinary.openh264.org tcp
GB 142.250.187.238:443 accounts.youtube.com tcp
GB 142.250.187.238:443 accounts.youtube.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/5020-0-0x0000000000760000-0x0000000000C0C000-memory.dmp

memory/5020-1-0x00000000773D6000-0x00000000773D8000-memory.dmp

memory/5020-2-0x0000000000761000-0x000000000078F000-memory.dmp

memory/5020-3-0x0000000000760000-0x0000000000C0C000-memory.dmp

memory/5020-4-0x0000000000760000-0x0000000000C0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 8a6d5c4cf637fca72f9848f455fe0a9b
SHA1 471adfe441a7e1a9ec6448b8751ec0540a44567d
SHA256 81b5f40971d374ae5981d3c04542894150965a32869bc9bf6ef365a4ad9058a3
SHA512 465969676d8c89b7d01599fddba9f4975bad4ec21a5e040b6f4b0c0f532156c69736bea609195b824bb8b05f5cc3272060cf7517878ca0061bb7a53c12ab223c

memory/3404-16-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/5020-18-0x0000000000760000-0x0000000000C0C000-memory.dmp

memory/3404-19-0x0000000000031000-0x000000000005F000-memory.dmp

memory/3404-20-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/3404-21-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/3404-22-0x0000000000030000-0x00000000004DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\a6ea0911c7.exe

MD5 50d7b4ddde987f738f29064556b31177
SHA1 8665b718cf44194c50d2eed8981b8e643debb98b
SHA256 0c38ce400b5a99c4d0350fc0e3a5c8f7bb366d73ba850ead3bd63dcc709941c8
SHA512 4cd03621fea07ca785792fae5fd4ac36281ab0718c1db0c4b6d0bd63a57ff1bf45ce5852b6c84782f2eb153fb7c5acde8096fe407dd5acf454bf0b9aad0a21f5

memory/1288-37-0x0000000000FF0000-0x0000000001647000-memory.dmp

memory/3404-47-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/1288-50-0x0000000005A10000-0x0000000005A11000-memory.dmp

memory/3404-58-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/2852-60-0x0000000000300000-0x0000000000957000-memory.dmp

memory/3404-59-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/1288-56-0x0000000000FF1000-0x0000000001005000-memory.dmp

memory/3404-54-0x0000000000030000-0x00000000004DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/200-68-0x0000000002370000-0x00000000023A6000-memory.dmp

memory/200-69-0x0000000005050000-0x000000000567A000-memory.dmp

memory/200-70-0x0000000004E00000-0x0000000004E22000-memory.dmp

memory/200-71-0x0000000004FA0000-0x0000000005006000-memory.dmp

memory/200-72-0x0000000005680000-0x00000000056E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q1qfofss.0sb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/200-81-0x00000000056F0000-0x0000000005A47000-memory.dmp

memory/200-82-0x0000000005B90000-0x0000000005BAE000-memory.dmp

memory/200-83-0x0000000005C20000-0x0000000005C6C000-memory.dmp

memory/200-85-0x0000000006B80000-0x0000000006C16000-memory.dmp

memory/200-86-0x00000000060F0000-0x000000000610A000-memory.dmp

memory/200-87-0x0000000006150000-0x0000000006172000-memory.dmp

memory/200-88-0x0000000007440000-0x00000000079E6000-memory.dmp

memory/3404-91-0x0000000000030000-0x00000000004DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 499a28e73aaed8acda53fa8adb19d2e9
SHA1 aa01b08cd7dd69a571e192bd4fb83007190ca480
SHA256 29c7891f8e9497f97e79cdbdcfbbc926c12349264854d3cae1f7600d34e82ee5
SHA512 c1b6c5e1d72efdd5b257eb97fd5a7a34f8d39524fa6540ce3d5bbd73992d44199533ef9348fad5db78a5e84613fa4d168153d682869b47375bd2b5625cc43ff8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\f8a258ec-221c-4893-be9b-45e409675ad9

MD5 35362ea242a037a52faf3544ec7f7c09
SHA1 a2a08a77e39bc106bcf9fe5a055f0a444ea490ee
SHA256 434bb306f3ca6469e7125cf20b1b9026583f575639939c505ec41892e0203514
SHA512 1458deb668d7e51127d5f97defda450482d657337401b86197b166ae316654211d350622af2f3b49004ff59dcc0dfd1a920334b9a7ef7e272eef6a57ddf5dcc5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\e89b09cb-bacd-4577-8ff0-c3bde591ece2

MD5 f90a94b201480688f25233de05835163
SHA1 a3ed8f659dda650398689ed5723faabbd1a48692
SHA256 e1179868384c3ea18c25e3691f14e705deba4dacf01b0ce4746108aca4c1ee25
SHA512 830557aa0d943e2a1fa6c3baa679250711a620569addcfd44f965bba3a704c7950204009fa7ce5b63ac2fdcb7ff35f07e3790ec80a572bc99b9176371dfa0381

memory/1288-296-0x0000000000FF0000-0x0000000001647000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 529679006ebb725e24c57719f1d77c66
SHA1 ce38d6d65e43575514cd8ef62add1522a773a306
SHA256 ab586a68c1fb7a83f4313662a8fe55f26fd012ab0b309124591498cdcd428982
SHA512 34849d5e17b6f447f008c26119b59572ba6b833e7f6c78dae6f11024c34dbc86b2799d94e5633f695daf56d464d963ea409849e46e02875e87e02fe741a7f4d8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\476f739b-8ae8-4d7a-aae8-f4797253dae2

MD5 96aba329efd666569774575f73b66e72
SHA1 7d9b1b7185a697a108dcb6a09eeaf131115c28b4
SHA256 691d5e00bae9164520b8ec4d67ff4549f2699de076c295a967523d0ca3fdd0a8
SHA512 37a4469dda2ee4cc42d48381d246095b15a844bae0a5c1b4e8918314000cd533078af737f848c7e2df04181d8d3f6665e77f6d6985ff7b6d7b10627d9febf902

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 e19c4105f07580c170a5ef25b66eeb4b
SHA1 c90b505a81c2ebbf855275c407eff001c63a68b9
SHA256 793ba5c67da2d81deaff1d5d50a52c635b0abf674550c0a92a34563b7414b677
SHA512 788fed5c1d4a03b23f3316fa9b39454bd1f41b08edcc599d8539d428383e9c52b6247286b07c8fdf23f4fb938bbd83a7559143ec7849ecb51349620fd8b35ce7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 f62d5f10fa6c604324723654cc13ef39
SHA1 5cd1e9f0364099ee32d783a731a47912c9716577
SHA256 643c64596269c9d4d3ab1eca336abe1b5c974ae563942892b74ae7563c0b4815
SHA512 1900ec3eff09a4ef085e56df1703734446240318fe30cdefe4c18edcd40ab4598b9943cb24915612c92f3c6fcd3a1d90e4334ec5aec4ac0a8242be254e6b29f2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 18e052aca19b3e4f04bfed6c346c6666
SHA1 def87e19f5e6a6c3a8ba156c8bef896be5e39808
SHA256 d8c2c75aac7baf3240d2e43b42f8229a7badbbc4d375e6358357e7923f1cec40
SHA512 bc5083f23e5a4cbada9ef68d3480840d9a35e74530d8a0c3ea10bcceef59809482ef698fde8fd682e13a32742d07056b3a21d8b7552a0ae8d2a4e68401cfc362

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json

MD5 f59a3af4e8d2836ddf018c3f48c35d89
SHA1 585407144eb76181ad1b81a0677566423ab2912b
SHA256 254635857672557c3f2ba365689474e03630300dd8ec9b8a36ee3084347737d6
SHA512 e1be8a876c3c6d09ba5edd362c4ba1456f81b767d005e8798826bc4b953ddfd038f9c82119a44823632f023c381fa7f3b82e7bc08e11561cfeef090bfd350755

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 3b35bd8245fb0565f1f380943bf658f9
SHA1 69a968264c95e90ab6953537e462b296c50b2919
SHA256 a3d2815bbfe06870f8edb95d5ccd77b5b9a5287fddc4ceae143221c94b35fa5d
SHA512 d4e999091b937e87e595fb4ea3cc5983bacb82be0ba8ebb5bd3872dc36899dbc3029df99aaafbbd92993b468e22c4f8184a806a756baa9e829bd166b9a86a11b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 6b36552466a2b66034686ad72277165a
SHA1 f98e1006290b1dff1cfcc972fbf6d7ce0212b968
SHA256 81e6aabf536f62139b343892df8653e753b277d99be808446ccaba9aa3436371
SHA512 6c15c4b977696e496ae07a22dc8b00037cc5c66ccb55988ebd9534953f6b4ea7b626e7a81877f878b412e4611de9d6abcff3d2ce7baec22fc203b908861dc910

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 48e7d5b0ea28add1c9ccd1bc3a7b2c50
SHA1 5a109b4d82881854fe32d7a819cfb5930cc44a5f
SHA256 19c8bace1db2fdf8d4c3fa659b16d2a34b54983bb8f602dd70109a99152ed314
SHA512 3cec8ece4c53dd44f2af2077003f9e275de6a8f23c67fef36a1f9a16d92d662ed7bd0cbf7c9d2ede8bca9ca7358daaf1aed5acc1fb56636c2fe59347cb204622

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 27d4ccc9fa3af78b42336a4d6a87252e
SHA1 8f79769668121cfcbd0b6ffd181e12cf198384de
SHA256 ebf525f580a2624bb86c9a5ad1e8fe1775d45a6118f85ddafeb835173861179b
SHA512 e78997099576d49e7d6b1a5758edab70f0eabc0a834f8e2327185c494f58d709194b24396785c637cb9a40e9c79546a9c0f2c849b54e56f86e78b4780b84b80c

memory/2852-473-0x0000000000300000-0x0000000000957000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 d338f218341b5c6d43c2768a78933ab7
SHA1 5281a6988bcd57ebb27cf90de4cc731491b5d96d
SHA256 e417d932960507ada468f3bb5023f746aebed1d313c6babaa8e5490f2589b115
SHA512 28201c413c50811a508a866158db19d50a4f3ba18640f6db8b5e121aa8600b5b6a51f16feaef53b1d95e8477b65308b34b420fda6c610d86772853118c174f36

memory/3404-495-0x0000000000030000-0x00000000004DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

MD5 4cccf83d40dd562a7ba2be098aa70956
SHA1 318fe51c826c1a5f032711695b16266ea97e3fb4
SHA256 b7dd905ff6ef786478da2c6a4e5bb6afbff05b853b79e5cafefc528b70d47299
SHA512 becb3992d8f72c9681e3453bd63ea8b7401fa6a6975ac4078946a5b571454db4ead9179abff99402e4cb19018ff37c3a93dfc34ae51f7e39042cbaf079de4010

memory/3404-525-0x0000000000030000-0x00000000004DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 c8af1fdbe0ab290321a6d1e4eda09bb6
SHA1 d902706b825efa9c3d19d70994af90742b3f1e56
SHA256 a41120218fb354f852879964352024f73794e882cfbb57b7884f5e2d6dcd3413
SHA512 2164d0e7ea62a70efb931a2d638db05aef15655dadff9099a1c63e9e238ae1b056a81428e2a813c39ebd0094ca617b55d99752a275ce7d6bbdf7a937701bb493

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 340320e4202cce2c21dedae94737b0c7
SHA1 6d175e9465e4b00e63786ae31cb7cab98bc72cb7
SHA256 6e94c76313437983592894eb6321433efeac996a97e59c6c6091c547ec3aeca7
SHA512 974d9139bfb460158a27ae257d7b38d6bcf579d3dc805c0766443f3ee8c8119f1bdf37a97ebd75c84076295e762c3682d5a4e0da76b306bcd6ac474787c6d1cf

memory/3404-590-0x0000000000030000-0x00000000004DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 39766baba52b33554f6e25446786a0b5
SHA1 d96fa10ee74856748f8bd1ba17357aa4e43a7e7c
SHA256 e8ddb9f535233c9cbec608531091fecdc108c5d6e92cffb30b6fb74f7a2ec266
SHA512 04e6684306f5fd2554c99edf7e15eac5709420257e9297bd5fdd6f0532843bab56392d785163ccff9b93cea7ee971719c1ec235611ff0cf92c995e944a1acd86

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 2b2625ea7d96d091e823b39a9f2c34b6
SHA1 f3157407472909c232b5617f7a21c86e66e92842
SHA256 f575a0c75cef32cf1ca768feaa410ec44efddff1a408bbf50b7687bfaac3001e
SHA512 30d47c5bcc05c170b3ce715519202a4d50bd2aac53ec535cda929b334bc21eadbcb13df46b10dd3229fb71353a6ed01733fcc1bfead681d3719ec0184a81f32c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 fbdcc7105fdccbe5ecdaa117d7fab641
SHA1 aaaccc84e84694ef4b1ebb25093868eeba2b7df0
SHA256 1393ede02a7bc4f81eab00cf85b2dd9be32729812181a1c5de67203c3ddfae45
SHA512 97e9978b301c06e5b56678c813cdc89d558a3704c763f93b6d5f810613e93e99933b6d5fb1f8a29972368187d4b21df7dfdf6c39691646ae9ece4696ba972f78

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

MD5 85e39915ff57a16c6c36c8ea0305d2fa
SHA1 90f3b85cf9e9ab2fcf61ee473c6073e5bf58d56d
SHA256 e98bbb05e86a6e0d7bb5a7f5080b721c9f8959945a0a9685a8e1751042bf9f24
SHA512 9990beff72e6acf639a68ed216ec881fd23061b236ab49a3b4dfd2efb53ca07c484a45fb9d01965c4e39f9750955ea2dedbd479f17e61c5d6d513712c8dafda6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 640ba43093fa284840d32863af9cb1c1
SHA1 509cb1c65fecdf2363341d57c3af43876c68a29c
SHA256 680b7e33f068b504b3b7c893bb3b642ec92f4b89057668f20f1de09bf8f1edea
SHA512 6766f3f15b694c787162b7f13d67a38e64f93ac40ce9cf4583ca27681377459bbc5166fa75b7e63850c6d3ff648b29793500c3e51b3ac4546454971abc6f17b0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 19d02954905ad23772eb2d6d33182ae8
SHA1 ec0478365f23cb7e65d9115576f3e120d189bd8a
SHA256 7d7d2f60c7e2eee465b8a8e0cbed4baa559744d5b2218200477434b752fb05c4
SHA512 1b72936c69e9b5956d1817ad1709e234f1247a80beb01f03ad11a3bdf61849db973d1cc26dfede4adacf4c28dfb8f9d51e6222cf42ccf8103d4ab019ac11181b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 625337a61b9ab0dbd91ec82ecfb996ae
SHA1 b90fe4fa0880890f0c70408f5afa5efe80460d4b
SHA256 1fcde980e8e7207a4ed7e09e987337dc3c160d0c1621f449c59c8a39295f177e
SHA512 987c73b9d4f9a03d7118a1bc9c48c10260a82c8eac3ca58fe31d3d30aeff49fc1e3f8f694805947b88826e84cd1b2d8778f3e3e47a0ea87fdacdef883987011d

memory/5780-810-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/5780-825-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/3404-857-0x0000000000030000-0x00000000004DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3404-1474-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/3404-2205-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/3404-2707-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/3404-2745-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/3404-2748-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/3404-2749-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/3280-2751-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/3280-2752-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/3404-2753-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/3404-2754-0x0000000000030000-0x00000000004DC000-memory.dmp

memory/3404-2762-0x0000000000030000-0x00000000004DC000-memory.dmp