Malware Analysis Report

2024-10-23 21:51

Sample ID 240911-btj49swglf
Target 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
SHA256 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
Tags
amadey stealc c7817d rave credential_access discovery evasion execution persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a

Threat Level: Known bad

The file 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave credential_access discovery evasion execution persistence spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Checks BIOS information in registry

Identifies Wine through registry keys

Checks computer location settings

Unsecured Credentials: Credentials In Files

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 01:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 01:26

Reported

2024-09-11 01:28

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c2f9460dc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\4c2f9460dc.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 904 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 904 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 904 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 5080 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe
PID 5080 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe
PID 5080 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe
PID 5080 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe
PID 5080 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe
PID 5080 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe
PID 5080 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1220 wrote to memory of 4892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 4892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 4892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 4460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 4460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 4460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 3300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 3300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 2284 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1220 wrote to memory of 2952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2952 wrote to memory of 464 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2284 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe

"C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7955a19-5f8b-4cf0-8f77-5a72486393c9} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2456 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2420 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b178f209-fe1f-455f-9ece-a578440aa13c} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b78c46f8,0x7ff9b78c4708,0x7ff9b78c4718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3120 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3200 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c96cd218-31a6-4649-8b1d-398391169b11} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b78c46f8,0x7ff9b78c4708,0x7ff9b78c4718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3572 -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3560 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e8b1946-58ef-4700-96fe-d98564d5fddd} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4204 -childID 3 -isForBrowser -prefsHandle 4216 -prefMapHandle 4212 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7735c82a-c08a-4731-a299-c31adc2fc272} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4956 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4948 -prefMapHandle 4944 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea7ecdbe-d311-4fed-b111-8a028621e9dc} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,17782991917194711110,8706140894671002483,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 4 -isForBrowser -prefsHandle 5652 -prefMapHandle 5428 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f30a55af-c823-4e62-bd91-262cd8667057} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 5 -isForBrowser -prefsHandle 5860 -prefMapHandle 5864 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5cc8d04-dd3d-462b-b925-d1f3c6b4e400} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6060 -childID 6 -isForBrowser -prefsHandle 6068 -prefMapHandle 6072 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79b609e4-572d-4f10-9ee0-5181f6b956ba} 2284 "\\.\pipe\gecko-crash-server-pipe.2284" tab

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4252 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4252 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8216428242050054159,5393037701557747116,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6000 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 216.58.212.238:443 youtube-ui.l.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 238.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 158.124.235.44.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
N/A 127.0.0.1:52644 tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:52663 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 88.238.56.23.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/904-0-0x0000000000DE0000-0x0000000001292000-memory.dmp

memory/904-1-0x0000000077CE4000-0x0000000077CE6000-memory.dmp

memory/904-2-0x0000000000DE1000-0x0000000000E0F000-memory.dmp

memory/904-3-0x0000000000DE0000-0x0000000001292000-memory.dmp

memory/904-4-0x0000000000DE0000-0x0000000001292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 3bcdaf8aa8a6f0ca2f613c8c14bc5a6e
SHA1 14e7cff2628e339009821bdb95673a40299149d0
SHA256 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
SHA512 d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579

memory/904-18-0x0000000000DE0000-0x0000000001292000-memory.dmp

memory/5080-17-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/5080-19-0x0000000000421000-0x000000000044F000-memory.dmp

memory/5080-20-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/5080-21-0x0000000000420000-0x00000000008D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\a5751c2930.exe

MD5 ce4bfa9c358165bde9bb408a2cb57b89
SHA1 e7d7c6e20a558cdbb8ca0a8614bf48a1bdb60396
SHA256 8b715b6ede4282228d035a69684c3e67328cef609504a7353c5151aa8ffafef9
SHA512 3ace12ec036ff30834223176f3b8f917e62e853afb7cf7735d426be5cb2d02cfc39b0ce2879a162dcfb7f32003f7f954a81ad527e247a2b424dcc1a11af5f6f3

memory/4632-37-0x0000000000F10000-0x000000000158F000-memory.dmp

memory/4632-47-0x0000000000F10000-0x000000000158F000-memory.dmp

memory/4632-46-0x0000000000F11000-0x0000000000F25000-memory.dmp

memory/5080-55-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/4504-56-0x00000000006F0000-0x0000000000D6F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/1220-64-0x0000000002B60000-0x0000000002B96000-memory.dmp

memory/1220-65-0x0000000005680000-0x0000000005CA8000-memory.dmp

memory/5080-66-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/1220-67-0x0000000005590000-0x00000000055B2000-memory.dmp

memory/1220-68-0x0000000005CB0000-0x0000000005D16000-memory.dmp

memory/1220-69-0x0000000005DD0000-0x0000000005E36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1padox2.0fc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1220-79-0x0000000005E40000-0x0000000006194000-memory.dmp

memory/1220-80-0x0000000006480000-0x000000000649E000-memory.dmp

memory/1220-81-0x00000000064A0000-0x00000000064EC000-memory.dmp

memory/5080-83-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/4632-84-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1220-100-0x0000000007790000-0x0000000007826000-memory.dmp

memory/1220-101-0x0000000006A30000-0x0000000006A4A000-memory.dmp

memory/1220-102-0x0000000006A80000-0x0000000006AA2000-memory.dmp

memory/1220-103-0x0000000007DE0000-0x0000000008384000-memory.dmp

memory/5080-106-0x0000000000420000-0x00000000008D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2dc1a9f2f3f8c3cfe51bb29b078166c5
SHA1 eaf3c3dad3c8dc6f18dc3e055b415da78b704402
SHA256 dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa
SHA512 682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\89a4cf8a-c957-4f68-8ee2-ce9d98c8d008

MD5 1476141249de872a48652235e506bb85
SHA1 2cc969916a4a9a67ae1226a815ce6aa31807dfa2
SHA256 eed1767dd9012d9795817a227f5db8d053da15c2d516e1fd0cc82755cde49897
SHA512 590109e8f73f80cc6fdf426a70978348d96c1e0e30f2ffb004abccbca082f7c4cdc8c24f59f5197312763ac0c92aaeab3c71aed78fb5ee69fb9db0385dfb42c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 cbcd698d9b0f3eceb62e72cbe164e619
SHA1 82db01993f6ee0dedf2a84c685fd6a728ff49d69
SHA256 7acfad56a15bfb018897a2bcb7e092a6b6a8d6450554f276239ed9e2e2e4fd9d
SHA512 b2cc208cc6e5568a988331a4e5ebda4751b69223ce19c620397a7fa04435abe9c4a7d8703e633df454cac26057f313e68936944d3b77d480442389b952fab90c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\33c55f45-1b14-4e23-b396-d8ed978bec7c

MD5 2e6e28e3c46b133e2bb539f308de61b4
SHA1 18813f5559995e04a2b5fd1f92104d5874cb72df
SHA256 0d4c0b30dd01033957dfd834f96536eb0fe43724b6ca54c4db0f41bf5f913c5e
SHA512 cd31fad61282daa78ee8a31ad6e399bfbe4701af0ea34e5f20b94935a0f7de298412aa4aea72f7d1cf5c31be44d83b481ae9224a56c7443fd4d617e8b7cd1b3a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 82e27fa66a66a58a6c6d7069d62774ab
SHA1 f48acd1de626975bff1ffec9b31543e162cc0fd2
SHA256 0b159ab855bccc3ae50242c88e63c1337dad50c746647314d9adf5b76e3e822e
SHA512 5789fe854357606f77329862a00f72ca0dc7c37b874ce4ed71aa65944ec6096fd983f89f51788f002a87833a32233420221519930ff4865bb0298f78e3ab85c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 6cca828b8fa731da7731f983e9c9652c
SHA1 83da3ffc800bdbcb52479316178999c7cee6a340
SHA256 36632989737dc020fba30fe3c79cdd4f8b577a2cffd62d8b242d17017b9cc1d6
SHA512 5a6f6d0e118418e6d2edd47a8a1ac7a952e888bbfb250cc7416decb0512592b6095d794e922fdc7eeb59c36f9d1ad1bab8ddab077bd835a3073ffa668478220c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 84481e8ad9a8a51404edf3337d8734f9
SHA1 c11e8d0ab0088ac5ed2fb032adb996515a4865dc
SHA256 f14e31364b6a27fe18da608f865da4a8c20ae8229376104c0e87d9a8b51b7f88
SHA512 68256cd2672800c296fae2f12f742c4690bcf8a0865bb4b126917ec2c3305dbe0bf2e3531773848daac7981c9c5129caf46db1e2c7bb8989e7499fa03ab125f8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 0e0fb76cc9782b3fb260177712fc9a3f
SHA1 e2b005bd7ee12d03381877645b178bab37330fff
SHA256 ec6e6fd39e9e2503c2d8e84bea7df84ca079312596b9d4875c8cc7a011bca0c5
SHA512 42e53de2120ccb6a97e01c5f094d4f353c6e6307b2b7ed36a9c96dcff207b4bdc17e7ac4d45c762fdc39abc0506e6330f51992a41813bd26b418957bfa9796e7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 97e39a3bde05fdd6bd0194817342e49e
SHA1 75f63d9005f5ca6dd2ccbaed4003284b073b9497
SHA256 e8a7fb3c47a05f71f63d027f626df3bb597c7dc1bf96ec246ee5847b82b1f1d4
SHA512 4e634a745322274a29ed14f7176de1aef6d913b37c9f1ebf71e673c219b9572717d196a3c75bd485d458d8005c4e8d74eb61afe4d4efeed4947fc7073d546055

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e4f80e7950cbd3bb11257d2000cb885e
SHA1 10ac643904d539042d8f7aa4a312b13ec2106035
SHA256 1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124
SHA512 2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 04517bf5eb491afca256d6be3598c7af
SHA1 51c65a20bb429769e4eefe59b073a039e81d8730
SHA256 72fb84b541b8ceab3bed25d65421981b6f4a7cd208dc47d42e79296d4c680421
SHA512 c20a532b1c140b9c2fbd1bd1cd3de08e13899f7bb49925a253ca0db59f24e862c1452a6209d7565412af18c9db746389a9c7bd4e33b52a7059ce0f4d0e45d5a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bd8615bd047186d20d26bfbcdd5455bf
SHA1 c843e849085e6bf1f3362282cfaf77b9f111e165
SHA256 d3fa3aabac4e1d8c94e0ee8f1a3e1aa4dca461a2af8d09f6e374bb72912d83ac
SHA512 ba15847e9d818628edc8116af4fb05bedfd98853cd697efc6ff97717222e1da4b2a17fae35b543c01f8db17a12163415814f4499c3cd290b0f4028f32912330c

\??\pipe\LOCAL\crashpad_924_CJMSSXMATKBVBSNQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 28a5568c44818fdf595bc1e647de3ba9
SHA1 14e52138ad7868b34cb2e3403902c39a0bebbc84
SHA256 5b68f59a3394280dc68d3c17bfd58fa751bf7891b624e7a68a43f1d3239085cc
SHA512 dc89208272275da3ac8fae48ac61ba5c643cc17410256d5084bbd18859da875382754e4739dc1511c7aa50ac670e1a0af9ec6c05c08c53d06ee605564635e7a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

MD5 7208f74d75109af5a875d216b7e9c985
SHA1 7a7932951fd257599274d5150bc5a5e0e21ed189
SHA256 9a6efeb13201c25ea5dee3d205731d87f218cf3b764ad3f25f03113277df01d7
SHA512 2f300ea9e8c5cc611a89322916d68ae2bb75083741abfdbc4647dc81a9caa8300e4af4056e87e27ba8b1443fe2cbcfc5b0c1f7ef09a0adeb45fa018d9076e96d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 c249259719a6ea9bdcfa1b76e799d1df
SHA1 b0c34ed453d3af98c342e5509b7bfb5c5bef7519
SHA256 bfc7ca5d16a4a7c558afe492a0d5c673fd40c32d9855af10059043e276f57e91
SHA512 82aa70d16427976b42af5c3701d3302ec270fad4b5fa00151dc6675de331a3dcc77275e8d6a9350d5db0288224a035cdd3f791a130a7b0811cc3d6a73ea25bae

memory/4632-474-0x0000000000F10000-0x000000000158F000-memory.dmp

memory/5080-473-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/4632-550-0x0000000000F10000-0x000000000158F000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cookies.sqlite-wal

MD5 a33c39f34f0384bb33ec6de1c6f7c127
SHA1 cbf4f0ef3ace010dcb34b83942234b38fa41eaa1
SHA256 78902dd8bf9cbf0a4717879a09ab7c19a46c7de87b8be1fbfa273eb96b5725c7
SHA512 9ca348ad33ba6aba8deb8b077dc178049410eb37c8858a9fd782efd4322b8019a3f0618bca52d444f72af566101892a239027aa781347750d31d594be1d8e9b8

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4632-623-0x0000000000F10000-0x000000000158F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\places.sqlite-wal

MD5 cefa5a93a087155d4c5375af64c764bf
SHA1 6132a42cac1083343c64388b4d9b88ce708d99e7
SHA256 0d847b52ceda932c816e76c75afb69c05c732fe7012511549ea6d3f2508a575b
SHA512 91df295f2ef585b295d5457e45d7e92f402865eecb960219aa22e7049a5d438a08edb34be8312ea6b4fd373892c740386705af64cf4ddc4af82b02dd892bc6b2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\places.sqlite

MD5 cda44dd6db7a03963f473fb083298d5c
SHA1 0ea5ebeb8fe50757c01230564f81c54ca4e9d3a9
SHA256 7bf14c8c32ffde277670af381522ca217fe189ce84fc54f9ad862cea8274118a
SHA512 b3c14ba0d9613d273d327f3739208d55cce10be0e6b885c32db4b54f74e2673f9c5300a196e3db7ced0a028957d69eefa72924254df01441e9542fb42291fb58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

MD5 642b928d2d7a8622ff4c23294f5f3431
SHA1 9bd34953566221a3a5bfc43107934964f0010a58
SHA256 ad03a1324ed81c4f44723127cf869a1b2143198f125c32d3d15dc7d2d4971ea9
SHA512 b4a101a81147c27fa9c5ba27508e8cb57f0c895af869fe04c44a8007637d2a661e34b284f00903fb35e55ad3272c59f3eb752cc495821f205b07e293af96a4bb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 fc07e7c3dcc348e6333a07204e8bfe3f
SHA1 6e207972158bc8c88984b2c6762dd84c8f45a5dd
SHA256 5d27a4881102b8e1707a47819441b6c0381b942013dfdbb3cf7c9d963e6d6c56
SHA512 22c8eabb8d0f0c39db414a411ae188ea39d8f4a169faa3ca34ed16fb8ac42ab839eae3db18dc91069c80610b647f9cdcb5772c12e1133dd82d2a1d76329bd1c0

memory/4504-658-0x00000000006F0000-0x0000000000D6F000-memory.dmp

memory/4504-657-0x00000000006F0000-0x0000000000D6F000-memory.dmp

memory/4632-666-0x0000000000F10000-0x000000000158F000-memory.dmp

memory/4504-671-0x00000000006F0000-0x0000000000D6F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 362feae5490058feae5c3a415d42ee50
SHA1 1c4da7f0a615cad4aeaca5305889c6dac405e9e7
SHA256 78748034ec03d029f37ba9f913baa3e426842b54bbb58d87a876a1792555f6ca
SHA512 89b51f5989fdb25dfc475e7beb264293d7c60d98417010cc13aa531492f8c2f849c6d524a88aa9dc9a8cfb2ce7bd4b6a6b869e58d026d8bacc7e1c88ec82ad22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9fa4e3b015d73365fce8a3baecb60a96
SHA1 90860c3f758fa98f83119ad63561963d731ae075
SHA256 f8562735eca366889e3b9fae8ab1e179c9b9e0f1ddae43c4cd47818cf9874ca2
SHA512 92af323dcf698275e2ea9be5c807d9b30e922b9170ff21d655b40905178b0f8e47b141754c3b9345b23042771d17b2a934b3bcbd0259beabb12fa998d2a8009d

memory/5080-700-0x0000000000420000-0x00000000008D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4

MD5 823a3986e8663ddffed1354322edec29
SHA1 4de4c151eb066237724755e97768cf9663bcd1f0
SHA256 5b60cde4468b0be16f49a5749d45ada3be6cc1f1fcdc5d62025e1f1988a67214
SHA512 98bed3cfbd7ffbed3980f0b73ab87a86728ed94f3d6c0d5f5d2cdc0bff6aa3ee5e80b6ba3cddf9c221fa2f51aaacdaedb7f007e54f7ae4bd6881c216c4948668

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 867302073462877be6e6c861894b4ca1
SHA1 6aef51dbad5891c6971de96fd2d74116a3cc6ebd
SHA256 8a9937e27016e20c8d884acc610186287624de2bcc490d2c1cd23cb346805eba
SHA512 3cc239e6ab2d94ba6624b00fe0349fb0c54d7363f2d8f4868cc9dfacd708611268df9b32b0fdbb0fa44ffce78914bc0a6a1a699aa92fa2eec4515e0f1a50c611

memory/5080-723-0x0000000000420000-0x00000000008D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 b16689eb426491acd98c0a578593f3de
SHA1 9a1a0abad8773ca362c50a45a45a93b909edfce7
SHA256 01d3c597b1ecb2825a32121cb2a97cff869e6aa5fa2300e5aa1e0208ed8ce00b
SHA512 3fa88efdd11327ec3fd5c6014b614c78154cb6bbcc230be6ea75d8e68cc19dec87778d5297fbb7dbf0a9a99a1bd10471514389e4b4395c8de70a755e1d40c4c1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 685733a7bd2ea60d41daaa535f4e715f
SHA1 6b8c2a43518fb6d3ebffd1704adf2af4db3aae12
SHA256 282e894391444495ed985c114af515439c1eeb7314abf383673fbfd54cddd619
SHA512 d67b682812e197e195655f6a5828099436249e161e086b8beac99f79ce0dbbd8eeacbde63d0c3dbc68469f4bd523f51a9b3ce57b1dcaded7516cf7302c7a7e2c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 960ed4d1ef786918d94476376aa03117
SHA1 32d5e0079aa8ff4c208b77a765afad66f864c4ac
SHA256 3bbb82b09211d284b3ad6bd270d7d40b16d203cc3ebd062f2b8b2b5bd7605723
SHA512 15e169b6fd86a174d1291308b72341e4c916e2d6cf1f1dd256bec959a8c8ebfca3b9a4e2962d56cbd2b80282ff86c1dfa3e2b33f549065039f3e5e71ef26c19c

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 427e6d136716caa0baa6e7868d134a98
SHA1 2b283967b1327b20c473d61b771f64fff5390f10
SHA256 1d5ea8103ed9d7721cf69f2f1e6dc74552297f772a0ae448131b636b8eccf472
SHA512 8ee566050a5a95402229471ade238c01b744fed896b3e24f0183d495edd90d695c883d5e13829f0a7245b9636dd7bc94bfd825e385c7a27393518706cf8e5185

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 fc2bf3edd7f91f5fb1f9e5a52283f71f
SHA1 9a43fa994d01fce9cf393dee7e00c3e66c0f2d04
SHA256 450310ec9922f2e1038f1626ef65904944dc5b0a40d7c56c462f10c19eb7768c
SHA512 0967356ebe8fa37287dfdcd94d53689c23ac0093215efe8651d329f99e209a9d45d6f576ffad266262ba6ab0899a23b9b60b33fcbad62ae7da30459bc9bb5f53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 6dd916dbcde7dc9f4d869a172a37e1dc
SHA1 a0c5384f48341b1040bcbd3a9a32f957123421cb
SHA256 1b8bd020ec661583b40fb882d54a5405d732dffe61e06e58f24cecefb689c798
SHA512 3c329d43c34077d8f686d5d11cf5a3fb30dc7f6f63e4905186371cfa942489ef0bffbd9a52a5696b94d59040aba55a9f6deef372d7852ffd553c7a836d77400f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4

MD5 431f1c24a779ecf3e26b4c67055e3eb7
SHA1 d1567d487df9c21134bcdfb951d083b05d074626
SHA256 43abd99625652b73675a299c1cfb3742350c39debee698d43c9faf224aae89b1
SHA512 915d4120adcf3b9503a6764d8b424e70efde93746bc9baa6b1b46aad74c6073975b491ab3250ba1f70392f2384c11a642e217b3f7cdb941d777834db272062c7

memory/5080-1605-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/4256-2444-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/4256-2486-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/5080-2677-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/5080-3005-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/5080-3017-0x0000000000420000-0x00000000008D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 f363f0e64e4916448267c110eb09d3d3
SHA1 04ef5124fede1394905b80363c7aaab4c10522ee
SHA256 cd9d73a926a67fa89acc413b8d8477c3c6bfd77a3629845247ff3623d7f7a0c2
SHA512 74f294ca62fc7b0dd2a22ef926a0b37770d2fa8ebd5b2ec5ba3624738c8ba25aa7d1c59e8e22983653a40917f9fe3de8acda1fdf38f429afd920abd85f57da4a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e890ef6676045524117280c29f54d6e4
SHA1 8868f4734ed809770c46e3b532d5642761d8f11c
SHA256 e1d62df66867cf446bc0f179ec51ba1dd6ff94e6556e6bf802e89017299d2b4a
SHA512 8515fe5f7a75a0d6fee1c3c9714e65a7dadf4927e114f6c7f25508fbe9da865067ec34186be29d9f82b441dd05006e2a213827e1e86ba3224061b7613fe9abe3

memory/5080-3042-0x0000000000420000-0x00000000008D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c791.TMP

MD5 268fe28e263085527bf106f4e03a742a
SHA1 fba3c5de76dceb1c25f536ee801e966217173698
SHA256 b1c129dd149da2a8e097bd5603cac1aef840c33be22ca91a92ee5880f4073eae
SHA512 b242f529b520985dcac6fdea4c4e8e15a0775abdcf5109e284c066d0238407d5b768f89e6c9379a54b3e3a921142d5dd70c433a3253f93173320bfa2beb8faa2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 89a7f9bcf439b7c9639bc0061e03afc9
SHA1 366c91a70d80ea675110fec7a270068ae5d025f7
SHA256 c738b66362aed218632e688cf4e7d4b62e7bc4c4cb1890bb5b46295c10172c28
SHA512 8425b1ae0e07accccdfe2e8deb774bae557b5bc56d95ac771c85892dd037e85376bf747deb9ad97a681b27c85a6267cabcf171bdda532cc4e934359d05e464dd

memory/5080-3052-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/5080-3053-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/2580-3055-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/2580-3056-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/5080-3057-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/5080-3058-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/5080-3067-0x0000000000420000-0x00000000008D2000-memory.dmp

memory/5080-3074-0x0000000000420000-0x00000000008D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8f3d9cbfc939692afb17ad778bbcc893
SHA1 86f2c8e0dabf0e44ec51e5635785845f7ab8e6fe
SHA256 d106cd507ef74e5c145e134a25bb3c58fc5248948fe8e2dedace160d6b103267
SHA512 e2deb56d210d50358e4c9f1e677d425c8e9c9c44f7d7bd855a4817e148ab7ddcf135b24dc657227ed3d4e69d4601585e76566383ca595cab6f6432b9fdfd02d6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4ad1a0e8a0eb792aaf7172461746cd8a
SHA1 8fa23b182713b57b706d9a0e39ee68eda80bbd29
SHA256 ff0a9101a922742c00fc0acfd02d02c90431d4896b465651369085d70777f375
SHA512 c027b783ab04c639867f29956e544cd1fcafcba58f504bd8d3107117e97a2b9fc76fc27b08696d3ef01197a3aacba954ecbfa7a5c07cdf583d9243c637f39eaf

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 01:26

Reported

2024-09-11 01:28

Platform

win11-20240802-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\4c2f9460dc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\4c2f9460dc.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 840 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 840 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2340 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe
PID 2340 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe
PID 2340 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe
PID 2340 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe
PID 2340 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe
PID 2340 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe
PID 2340 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 2168 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 2168 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 2168 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 912 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3736 wrote to memory of 912 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3736 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3736 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 912 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 912 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 912 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 912 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 912 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 912 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 912 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 912 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 912 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 912 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 912 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1968 wrote to memory of 3404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe

"C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1be2a389-01ce-4cde-813e-dd7013d81023} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c8a1311-2e3d-4bcd-aa58-a21b8ab917b4} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1572 -childID 1 -isForBrowser -prefsHandle 3456 -prefMapHandle 3356 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d623736-4001-42f1-a230-e3ec92ec2ed3} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 3592 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f3c4509-3ea7-42f7-8330-c5941022a208} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4272 -childID 3 -isForBrowser -prefsHandle 4264 -prefMapHandle 3204 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d231df13-1cc8-4660-a64a-9ec385da9dd7} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4908 -prefMapHandle 4988 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {137a2190-03dd-4a75-a0c7-d7ac66f26d8d} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4804 -childID 4 -isForBrowser -prefsHandle 5792 -prefMapHandle 5824 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c419c312-11f1-4dbb-a635-c75727b53603} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6024 -childID 5 -isForBrowser -prefsHandle 6016 -prefMapHandle 6012 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2e01d23-e6ed-4f0a-9620-9decff81a330} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 6 -isForBrowser -prefsHandle 5920 -prefMapHandle 5916 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66f01f80-81e2-44b0-86b3-af21cefd32b6} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.212.206:443 youtube-ui.l.google.com tcp
GB 216.58.212.206:443 youtube-ui.l.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.212.206:443 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.187.238:443 www3.l.google.com tcp
GB 142.250.187.238:443 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
RU 185.215.113.103:80 185.215.113.103 tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
N/A 127.0.0.1:49850 tcp
N/A 127.0.0.1:49857 tcp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
GB 142.250.187.238:443 www3.l.google.com tcp
GB 142.250.187.238:443 www3.l.google.com udp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com tcp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com tcp
NL 172.217.132.38:443 r1.sn-5hne6nsk.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.179.238:443 consent.youtube.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/840-0-0x0000000000160000-0x0000000000612000-memory.dmp

memory/840-1-0x0000000077CC6000-0x0000000077CC8000-memory.dmp

memory/840-2-0x0000000000161000-0x000000000018F000-memory.dmp

memory/840-3-0x0000000000160000-0x0000000000612000-memory.dmp

memory/840-4-0x0000000000160000-0x0000000000612000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 3bcdaf8aa8a6f0ca2f613c8c14bc5a6e
SHA1 14e7cff2628e339009821bdb95673a40299149d0
SHA256 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
SHA512 d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579

memory/2340-18-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/840-17-0x0000000000160000-0x0000000000612000-memory.dmp

memory/2340-19-0x0000000000CB1000-0x0000000000CDF000-memory.dmp

memory/2340-20-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/2340-21-0x0000000000CB0000-0x0000000001162000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe

MD5 ce4bfa9c358165bde9bb408a2cb57b89
SHA1 e7d7c6e20a558cdbb8ca0a8614bf48a1bdb60396
SHA256 8b715b6ede4282228d035a69684c3e67328cef609504a7353c5151aa8ffafef9
SHA512 3ace12ec036ff30834223176f3b8f917e62e853afb7cf7735d426be5cb2d02cfc39b0ce2879a162dcfb7f32003f7f954a81ad527e247a2b424dcc1a11af5f6f3

memory/1464-37-0x0000000000C80000-0x00000000012FF000-memory.dmp

memory/2340-46-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/1464-47-0x0000000000C80000-0x00000000012FF000-memory.dmp

memory/1464-53-0x0000000000C80000-0x00000000012FF000-memory.dmp

memory/652-56-0x0000000000680000-0x0000000000CFF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/1464-64-0x0000000000C80000-0x00000000012FF000-memory.dmp

memory/3736-65-0x0000000002620000-0x0000000002656000-memory.dmp

memory/3736-66-0x00000000051D0000-0x00000000057FA000-memory.dmp

memory/3736-67-0x0000000004F80000-0x0000000004FA2000-memory.dmp

memory/3736-68-0x0000000005870000-0x00000000058D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hlg4wtrq.lwl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3736-69-0x00000000058E0000-0x0000000005946000-memory.dmp

memory/3736-78-0x0000000005950000-0x0000000005CA7000-memory.dmp

memory/3736-79-0x0000000005E00000-0x0000000005E1E000-memory.dmp

memory/3736-80-0x0000000005E40000-0x0000000005E8C000-memory.dmp

memory/2340-83-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/2340-82-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/3736-86-0x0000000006DC0000-0x0000000006DE2000-memory.dmp

memory/3736-87-0x00000000074E0000-0x0000000007A86000-memory.dmp

memory/3736-85-0x0000000006370000-0x000000000638A000-memory.dmp

memory/3736-84-0x0000000006E60000-0x0000000006EF6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

MD5 f2661c5253e21a672b06c382959ce84f
SHA1 ff3c7a572fc24339a13497076bcdbef87e75ea67
SHA256 5853d172447e9bf5a6082603346c1bc508ee7ccdd3ae6b359b2ca229870a54b1
SHA512 1a04fc19a23d142d6be05aa894802d347d5b702b7064dd3b7fca35f4f9c5b0de0513f69b622b034a71139da1228cdf35ba4aaf1f415ada3f46aacdf2442ac8f8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

MD5 278b21bc12005e1b974d168549615e27
SHA1 ac346a6a056af44eeac2315c7b33a9f4bb22af7e
SHA256 950d46e6e6f4f8779b1e97bddcfca43e250844942f49ecbced60fbca172f2d32
SHA512 d32a48db4017fb36e2d6fc9305bdeaf4e15f3468f4e591d0882ec853dda1c93a326f031021b27c4192c177acf3a5c2efcb61bdf028984188ba144c3fd79dd626

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 0e1fb6d6893b822ae74a7499ef841326
SHA1 94a60b863fee10065313a822a1307e9a12a1812f
SHA256 de32cbc4eb8e234509de6b725892f3d9568ca3984858f88d0b365a9637637a73
SHA512 b36033dcd472868902b05c94f5e53f518381d49fcf93e8f114fcba043317794744b9a26bee24ec906590b9fd2df4a8dc6ec5cf7e032c137d8cb7811820a0f41c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\cc57f411-b2b4-422a-8869-d1d79d0b62d9

MD5 4b382e37448e885aa299d69916ee19d7
SHA1 2b473169b67b3f8f50cf403c3d565901b6f87abe
SHA256 b4e013057e720a5cdaca35abd6c68779ca8158e81e028125fc24ca8451175359
SHA512 d75320e074451a668cfe52d715742a26887b3af8787c667e6b450c7cee76e17459e22a3053284135d06c0692c3fd98cd898f5adb78b7907bf2baedb634ed2d44

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\dfe68154-a62b-4dd5-b6c0-cea2286ee4ed

MD5 d0532e9d0eca481186b5d1c7723a88f3
SHA1 573380008203806495f6a85bc2145a017fbfb8ca
SHA256 b32a1ff758240486f87380f6dfde7f31d67090965e814fc27e16de07754c4a1c
SHA512 759cfae958c225d25107d52394140551c76b772baa56640799026a26d5dcd370fbaecc644dfa5ae6a530190eceb4d0708cd7ee81c046437b1ce182dd05ebfcae

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\activity-stream.discovery_stream.json

MD5 f78ef1944027a9c36fbfa80a3f535076
SHA1 fb69ce2ac1ab7ab784d5c79c192abb74f5f54192
SHA256 ecaa0653dd19ff5a00d3924a0e77f80d43c39ef867f359de0a4a53060be182c6
SHA512 2228ce5f7629d0c3ff32b66614446e0a694dc136a8a962f1eefb182c907e574bf2899ffa4b07aae6c10ea69f7c817ffcc130f774f1ea3e490a1b2992845fc080

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 338db648db6aa5339259a43ba9687e0f
SHA1 2a4dac4bd5b48f4e514d43241b4d4b72265fb90b
SHA256 c8a7b08a17bfb7da09886bf6c0a094aaa2cb49f53629fac8e445f1b32556c68d
SHA512 ff4b4ed9eee29a0382e2a05009bb74d43033476c8b5b737ff8b1d6330a5234bce07b9903bb28ad803edd68aa409af8d239360ee129fe64c9c868b5d8c2b5e39a

memory/2340-357-0x0000000000CB0000-0x0000000001162000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

MD5 76cbdf57f5d735ba411dd898a0fbda94
SHA1 e855a4294f26d1fec882fa70cf8ebae69c82744f
SHA256 7bd4aa140f9d06c345480b624131046d7274a1001f8ff40ddd2369b1c17568cb
SHA512 736abf55f6d0fd49d77a299770d38c0144aef2b41e1c70d639f159c87825bf52c4d507c70898b3f86f593bbc393626285d6367cf2e5a601749c49166e0dba0d0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs.js

MD5 d859b0d0178c9cddb8bd0fb18fc39c29
SHA1 800202f1c546372f3392c368598560a9c118241c
SHA256 83597ced29a8c7eab843464ea1f320c8057e808f76a08127416d21ac982bdcf2
SHA512 c2cd3bf4de6b29b1883f7b9526073545570ca2756e50188861816c4442abc93f904f2b30de2e4974dcf368aff2c4ca96b048a7d6d23cfb28fdb0d97dc9f29e1d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 453ccfe1b9d80a610bd06b744683084a
SHA1 a5d09a125cce2e152b4f57c608ed565ae944a20a
SHA256 6f0ee7023bf954018fa3b6ac39b7b4ed50d6814c082aad052fc048a7a5b373dc
SHA512 b91fbd43ee8e1f7f8ee97276c2f879236e2d19ebe29e7862abb6ebf8a9e4b361f2d06a2defa3facade60deb2b333cf3401f2bcb25d644c61cf64d07e277bc576

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 6c4ff4025194d841084c7e2b483b7723
SHA1 48b84acd28fc95822dcc40b20b20dab4c45ee713
SHA256 38748588ac6fa391c913e3ab7f8d333ea98a9ff1cecf0439bb040334dfe1e4b4
SHA512 42262db7a94bae0d8048d0943d23428e001d3aaae0dc24a2f374f8efd6146fac2d1ce20b714b899fa2d0bc460d5a7c932b303db80f6b40885ad02e706ac069e9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

MD5 8b94d64a22485271dc9c85e52b7db6ee
SHA1 2686cbfd75e097787008b5eabcfcd21e2d7f5b80
SHA256 cfd4e0398ce9e830569551318f0df81db6955332faf623eff36a4646d230b84b
SHA512 ffa822174baa05e3c4edc29063b73bd9b3c460eef12b4d682ec8cbea70fb9c6033e4cbb68f7d43b7d22c7cd93a54efacec6fc84cdcdf1a264ab2ef147ad451c1

memory/2340-452-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/652-456-0x0000000000680000-0x0000000000CFF000-memory.dmp

memory/2340-491-0x0000000000CB0000-0x0000000001162000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4

MD5 7da0a609352773988e0a2144939842af
SHA1 0876926c34a5e3c73184323e1b089ab890be7c36
SHA256 fe420dcfcda92d0956eae2dbb6636c51a19b0c8df89d65abef28ae6e6c1bbe89
SHA512 28f6b637fa552d523dae24b06d193efcbb6e171d6afcc90001e749dd576f7d8093dfaf12bce63b9da92187f4efadb7c3a7fe2627ef47337136d711412f93c884

memory/2340-500-0x0000000000CB0000-0x0000000001162000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 c161d0d750d5d7f73083312e332ab2c8
SHA1 027c31c43eff3db6a9d875bbeb8f832bbed1df99
SHA256 e39e2453e6c4f6dca7970eaa850553d72b71b9ff3762a4a21378a5f70f955489
SHA512 c3c2f72f7e0c963406944e8e51446af100b54026cd80b64494a7b5226744b353e8a3f68d68724a81d0036b41acbad631159fe526c0bd230d7ad8a43857ba2d27

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 053126903f986f4040329526718782c8
SHA1 6829c8dcce54263173160217111bb35cf371996d
SHA256 b781aae9e887cf9246efff20c4e903cbf9da77b268247095da903fdba559f96c
SHA512 963822dac385baec38fa47e827dbf7b3aa14a59a1d584970685f8154fdc806355d742889147943d7cb24eee2d308ee303b8af2277f657e4cbbf8b27431cce2ed

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

MD5 3ddf6839dc10bf0b989db75a81282d75
SHA1 6a70b3638ba7f60108821b9fc989c56eaa39294b
SHA256 4c79f2836b38ca67097c2354770ff0788c41e23fc2f4533325469b804ff90cf6
SHA512 72c7215819ec218bee711f2dd696d82eccf5cb1959d3f2673b14df6ea8a2e49b06f84220f2f2d9eaa524fc5a6cac5417429f54c77a04571e1c43af75753f0f19

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

MD5 742a5365ea6b32c2064d1a7aa867f8bd
SHA1 360d389bd5f2b0258649662baea7d21aa3ef49c5
SHA256 ea7b7c3f6995019d46dcd547f83fe537ab7eb3ba3ddefaf07f8e75daa9dd3aa3
SHA512 4ecb04f7253e5cb1ec2771acb1355ee3a57ec47f535d0a72b3abb3c8a9986900307f744828f76503d484d8cd988bcc227b0352c0fa93dfb222a8e32f4ceed622

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4

MD5 72cd9b72cdb056aa2208c557dca4b170
SHA1 ebe809613b1dac3aff449723646018277eb8895a
SHA256 d0a4b316aa1159f87cfed25a7600c37232a2d060412b97faa12250ae3546b788
SHA512 c706861893f5e15a5f1f828b0ce2fb85dbcb63c5c7771721764bad9d6f1dd3fd2afd573b7394f4ac0085fd219847d00b9476c3615b2034d8fd1b62b0aaed9947

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 cba1db20a5b811a4bc23e21439e36dbe
SHA1 48648946c5806b9c7257dbe6911f1771ab40f653
SHA256 ea544cda49c0a5de46d7a6574766bbdecc4da8f0ba6d1c532514784dc56a8f79
SHA512 80e1fca64a2112892c5b7c502cf68a0cc024c2155e3c890dfc209ac790d4a47860a3baae338f3e9a0daeca6fe9cf966a7ba466bd39e1ca0b202a76fc029ac827

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a02ce5d91776840c982c9bf8cc4b9bde
SHA1 7e1a6240681d634e819f897c87808a6af7babe02
SHA256 189749174905ce0c94de1f691b457d26d0b5b0e986a2b1dc6011a33d9bbf69c7
SHA512 504ae854b00d6893743d0a1bf744eb07f4a1bf4a617a2e0d0677ef28d4e73c43122010f95622eae616918646c1d1fe35a07eb793b87ab949084562adfd58a5da

memory/2340-721-0x0000000000CB0000-0x0000000001162000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 adba886a81996af21e20cd361bb61b09
SHA1 c341446c252798eeaed56de9acd2a4bdd54de391
SHA256 14bcb8456ff7124b94f6b606e3d570a71286f468e2d2dd15d269cba396213759
SHA512 5c858f2447e6bf0c41c4bbcd8793d2ee09b8de798e3f06f925d1173eac8d277709543806400d8dbb6c68a29df813d9a376aee2bbddd54b8bcba7e3c2232eb4a1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

memory/5584-1675-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/5584-1736-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/2340-2228-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/2340-2677-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/2340-2684-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/2340-2687-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/2340-2688-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/2340-2689-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/5636-2691-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/5636-2693-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/2340-2694-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/2340-2695-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/2340-2702-0x0000000000CB0000-0x0000000001162000-memory.dmp

memory/2340-2707-0x0000000000CB0000-0x0000000001162000-memory.dmp