Malware Analysis Report

2024-10-23 21:50

Sample ID 240911-bzpa6svhpl
Target 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe
SHA256 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
Tags
amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a

Threat Level: Known bad

The file 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Browser Information Discovery

Command and Scripting Interpreter: PowerShell

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Modifies registry class

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 01:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 01:35

Reported

2024-09-11 01:37

Platform

win7-20240903-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\0e976ee612.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\0e976ee612.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\0e976ee612.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\0e976ee612.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\0e976ee612.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\0e976ee612.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\0e976ee612.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2096 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2096 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2096 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2980 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe
PID 2980 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe
PID 2980 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe
PID 2980 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe
PID 2980 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\0e976ee612.exe
PID 2980 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\0e976ee612.exe
PID 2980 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\0e976ee612.exe
PID 2980 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\0e976ee612.exe
PID 2980 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 1796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2500 wrote to memory of 1796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2500 wrote to memory of 1796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2500 wrote to memory of 1796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2500 wrote to memory of 604 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2500 wrote to memory of 604 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2500 wrote to memory of 604 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2500 wrote to memory of 604 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1796 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2724 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 604 wrote to memory of 2392 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe

"C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\0e976ee612.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\0e976ee612.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.0.1499319890\1995941788" -parentBuildID 20221007134813 -prefsHandle 1196 -prefMapHandle 1188 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27bdac14-4e5a-42c6-8505-f6f4488b0f0b} 604 "\\.\pipe\gecko-crash-server-pipe.604" 1268 119d7258 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.1.941564494\828098967" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {734bca0a-d12f-477c-a465-cc03835eef88} 604 "\\.\pipe\gecko-crash-server-pipe.604" 1476 11905c58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.2.913314183\253676742" -childID 1 -isForBrowser -prefsHandle 2100 -prefMapHandle 2096 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d0c39d0-8782-46c2-9877-6b182ba26ca6} 604 "\\.\pipe\gecko-crash-server-pipe.604" 2112 19db0958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.3.232455944\1753561909" -childID 2 -isForBrowser -prefsHandle 2628 -prefMapHandle 2624 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cd2f149-b1fd-4de9-8be8-4dffdafaabac} 604 "\\.\pipe\gecko-crash-server-pipe.604" 2680 e69b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.4.23732905\1581238818" -childID 3 -isForBrowser -prefsHandle 3824 -prefMapHandle 3820 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0d3c253-f9f1-4b91-ae83-6ec5d09f292c} 604 "\\.\pipe\gecko-crash-server-pipe.604" 3836 1e9f0f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.5.1132101368\1917974158" -childID 4 -isForBrowser -prefsHandle 3948 -prefMapHandle 3952 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f60b37ab-3970-415f-8e00-79e4bfa3c919} 604 "\\.\pipe\gecko-crash-server-pipe.604" 3936 204a6b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.6.1337948218\1675221534" -childID 5 -isForBrowser -prefsHandle 4128 -prefMapHandle 4132 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bdd08bb-7ceb-4e74-b135-7b3d520c33db} 604 "\\.\pipe\gecko-crash-server-pipe.604" 4116 204a6e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.7.23604496\1758185924" -childID 6 -isForBrowser -prefsHandle 4364 -prefMapHandle 4340 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a61df30-3b25-48eb-85ac-c77bd836e482} 604 "\\.\pipe\gecko-crash-server-pipe.604" 4400 21d22858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.8.2074418888\357631155" -childID 7 -isForBrowser -prefsHandle 4364 -prefMapHandle 4504 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f200d2f4-d0e7-494d-a6f6-40716243bb34} 604 "\\.\pipe\gecko-crash-server-pipe.604" 4552 227f8758 tab

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
N/A 127.0.0.1:49281 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
N/A 127.0.0.1:49291 tcp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigl6nzr.gvt1.com udp
GB 74.125.175.137:443 r4---sn-aigl6nzr.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigl6nzr.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigl6nzr.gvt1.com udp
GB 74.125.175.137:443 r4.sn-aigl6nzr.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp

Files

memory/2096-0-0x0000000000A40000-0x0000000000EF2000-memory.dmp

memory/2096-1-0x0000000077BF0000-0x0000000077BF2000-memory.dmp

memory/2096-2-0x0000000000A41000-0x0000000000A6F000-memory.dmp

memory/2096-3-0x0000000000A40000-0x0000000000EF2000-memory.dmp

memory/2096-4-0x0000000000A40000-0x0000000000EF2000-memory.dmp

memory/2096-6-0x0000000000A40000-0x0000000000EF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 3bcdaf8aa8a6f0ca2f613c8c14bc5a6e
SHA1 14e7cff2628e339009821bdb95673a40299149d0
SHA256 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
SHA512 d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579

memory/2096-15-0x0000000000A40000-0x0000000000EF2000-memory.dmp

memory/2980-17-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-18-0x0000000000A61000-0x0000000000A8F000-memory.dmp

memory/2980-19-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-22-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-21-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-23-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-24-0x0000000000A60000-0x0000000000F12000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe

MD5 6ec533d4b68b9b65f45160ba3bfc9422
SHA1 488be541bd2b2e42770c9e2bae875f6f97f51cfb
SHA256 dbe5d0f7237469a486de479008f1abca3d06a8a2b0ad64f26453d00e63000258
SHA512 99ceac7775eb344221dbba859cc37834e9b553b9b6eb27fa6dc807b5b4fac8016b2802a66cfba6a4f092feb05443c6642cb3fcb400befacdaad3747c6ce46cfc

memory/2980-40-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-42-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-44-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-43-0x0000000006780000-0x0000000006E0D000-memory.dmp

memory/2980-45-0x0000000006780000-0x0000000006E0D000-memory.dmp

memory/1788-46-0x0000000000200000-0x000000000088D000-memory.dmp

memory/2980-64-0x0000000006780000-0x0000000006E0D000-memory.dmp

memory/2980-63-0x0000000006780000-0x0000000006E0D000-memory.dmp

memory/1268-65-0x0000000000180000-0x000000000080D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/1788-76-0x0000000000200000-0x000000000088D000-memory.dmp

memory/1268-79-0x0000000000180000-0x000000000080D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin

MD5 2f78029d64fa50c83971df4591e1c227
SHA1 aab4374ecb366c26e915b0b33a3a80f18b0c5a14
SHA256 2cf672042c6966a5fe1808fd9d7a0db44bea807f3f2c661c2e7224ceee65b6f0
SHA512 f731de5f51f65aede63395287a13de6dd1260c4594cb580942d7d1b629d916148345d150587f31792e15bbb9ebf89d7853aaa9f9c0126189351d107e84c487f3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\c7ea333f-883f-4977-af7b-50c60a251f65

MD5 e80dedbb08b937abb560793d385f7853
SHA1 bc8168b139c3b68b67bab0c2eb739d33ebd06345
SHA256 3122687c9910f701ff452c6080f46309d4bf119a53cbbc155dae88cbfb37d9e1
SHA512 f79850a63c0958a9309f312ec519ba449bcc14a0d035fe5ce64f88b4e0c750a863fe87a307a9b485fb2f7de1a8aaad6d05cf7207aee9c99bdf5c6f3b4d4050a6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp

MD5 6ac5797834975c7bc1955888feaea94c
SHA1 3663afbd9720d6af3a14cc51dcb34189365cd1a4
SHA256 af7fc9f0ed78cd00817baf8be55e1c881511d0ea154cde9e663deda433775fac
SHA512 4b291507252c6834a5ff63a4a99c85fc949d0fec209c6a3ccb675abef3a02540946f9688ac4632b5af95adc346b6303793c096a168da4e389c5bf7b00a668bcf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs.js

MD5 f61c79cc95800c7154882837d246e85a
SHA1 46776fad7e2c8d143fa24ce9169d49cf8ad2f404
SHA256 3bf5a0f423d843d64a233d4cd1a975dc6041229130cf4fb3009b0dc5a5cb7140
SHA512 ecdbbcde85661c3d1b7b550fda87d1224f7c3395b343fd927f56003c9f424ca410f8385edca42cb730395a261a55a01b07d5e0313f367c410e54d3d75fc5ef3d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs.js

MD5 d920f5ec5f69946ab549cbd7ffddb238
SHA1 526e44db3e29640dd52c1afe438ddc723d0d108d
SHA256 2eb8ba213a659889d146289def2aaeee68f748c0c474aef24ef4dc4ae1d12d18
SHA512 0369cb511d72c6943bade244ccea02496edc74bd3765ddcc0ccd2aae3bc86348ca731f632664f92d8feb0056545c82eba3afd1fd4a3b4e8e59054974a0d7c165

memory/2980-213-0x0000000006780000-0x0000000006E0D000-memory.dmp

memory/2980-255-0x0000000006780000-0x0000000006E0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4

MD5 2624268ec10816de5ec4cdedc0a40535
SHA1 a6b690056b7e93ae16b7060f6d0b807c1281ebff
SHA256 87b1f35135ef50c7eacb2060d6060a528b67db4d5f4e4e8f0bdfe3f184ecc557
SHA512 c2abb8b323300b59ef845c8d85b1f7d4d2b90583106d78d242c66d0cbd54c8ce69d048c199430e2cca029c8a42b7667b78cc1ece7eac7054dacc2254ea8dd79a

memory/2980-261-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-271-0x0000000000A60000-0x0000000000F12000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5813a0395feff54c2d66fdb01451334f
SHA1 3360c2f6eef3f59ff7a34e27a3097e8840a1fb71
SHA256 6bb3439ce4e010d328a44a1bc54032dfc3c6f4754e88ba3b33f494523e311972
SHA512 d0b3ec0462ae47ef3ccfdcf8aae250c51f3425bfdc64e01d0f8e9ee51ee4b871c58d61b016babd53dbf2029bcc559e7d805d1ea8c94bb37c712dac5984a68aef

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js

MD5 71defa401dee44b639b6c89e6f58bb4c
SHA1 aaba3cabf1be1278633341fadbd592faa24d5ef0
SHA256 a1c9761f4887fb744276274723233e5fdaaa7eae934d99f8e8796caf8821bb38
SHA512 75f3e7cb928fd0abc0ed63829a4c2763261f86caab430d9ad3b17ef7aa6a8fabb17b97af30299a1e6bb9dede93415ec0e3a3ea294496bde93641c038f750ceff

memory/2980-314-0x0000000000A60000-0x0000000000F12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js

MD5 bba3b7cf674d5374d412c12f98ddffad
SHA1 182e5203dc15f388b36dc156b61439a43b9e4364
SHA256 6fdb9cb5ae7ac4abf99c6ee514fadf430b954a5db5fdf968cc692832f3dcee42
SHA512 66892fcf058a5836f511e7886b909cda831a02151304a0ab220084477eb8411d975bb875da8a6cd12fd8857c5476d2c70128cd50dfee2bf59e3ca98bb954e746

memory/2980-362-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-363-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-368-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-377-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-378-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-379-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-380-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-381-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-382-0x0000000000A60000-0x0000000000F12000-memory.dmp

memory/2980-389-0x0000000000A60000-0x0000000000F12000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 01:35

Reported

2024-09-11 01:37

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\87f041225b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\c1b23237e3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\c1b23237e3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\87f041225b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\c1b23237e3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\87f041225b.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\87f041225b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\c1b23237e3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c1b23237e3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\c1b23237e3.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\87f041225b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\c1b23237e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\87f041225b.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\87f041225b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\c1b23237e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\c1b23237e3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2156 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2156 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3376 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\87f041225b.exe
PID 3376 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\87f041225b.exe
PID 3376 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\87f041225b.exe
PID 3376 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\c1b23237e3.exe
PID 3376 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\c1b23237e3.exe
PID 3376 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\c1b23237e3.exe
PID 3376 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 1400 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1400 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1400 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 3928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 3928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 3928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1924 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3884 wrote to memory of 1924 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1924 wrote to memory of 996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1924 wrote to memory of 996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1924 wrote to memory of 996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1924 wrote to memory of 996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1924 wrote to memory of 996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1924 wrote to memory of 996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1924 wrote to memory of 996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1924 wrote to memory of 996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1924 wrote to memory of 996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1924 wrote to memory of 996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1924 wrote to memory of 996 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3884 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3884 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 4352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 4352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 4352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 4352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 4352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 4352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 4352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 4352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 4352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 4352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4344 wrote to memory of 4352 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 996 wrote to memory of 5024 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\87f041225b.exe

"C:\Users\Admin\AppData\Roaming\1000026000\87f041225b.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\c1b23237e3.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\c1b23237e3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3991bb8-f253-494e-930c-73c4cdaac7f7} 996 "\\.\pipe\gecko-crash-server-pipe.996" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6abf46f8,0x7ffe6abf4708,0x7ffe6abf4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe6abf46f8,0x7ffe6abf4708,0x7ffe6abf4718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42f219d8-d090-454d-a24f-99429c03a1ca} 996 "\\.\pipe\gecko-crash-server-pipe.996" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3000 -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02cb5f24-ead2-45ef-a207-ef150992f6d0} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3580 -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e095a4c-ffd8-43cf-80c7-d6008f4e25bb} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3976 -childID 3 -isForBrowser -prefsHandle 3968 -prefMapHandle 3708 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d2115b5-868c-4d56-8a19-0a8039f0b149} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4584 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4564 -prefMapHandle 4524 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb765020-30f8-42cf-a262-650ddd03864d} 996 "\\.\pipe\gecko-crash-server-pipe.996" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,16330676528335149785,6157326513225583787,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,16330676528335149785,6157326513225583787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5868 -childID 4 -isForBrowser -prefsHandle 5880 -prefMapHandle 5876 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9b15cbc-db36-4c8c-87bc-619c695f7ca0} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6060 -childID 5 -isForBrowser -prefsHandle 5844 -prefMapHandle 5800 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5af86167-52b6-4edc-9546-5f8b36d3d313} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6268 -childID 6 -isForBrowser -prefsHandle 6260 -prefMapHandle 6256 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd348ed9-7aa4-413a-88b6-d18652d41c33} 996 "\\.\pipe\gecko-crash-server-pipe.996" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1484,1596312551163598098,3445094107836942328,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2984 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 213.24.239.44.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
N/A 127.0.0.1:52058 tcp
N/A 127.0.0.1:52068 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 consent.youtube.com udp

Files

memory/2156-0-0x0000000000B00000-0x0000000000FB2000-memory.dmp

memory/2156-1-0x0000000077154000-0x0000000077156000-memory.dmp

memory/2156-2-0x0000000000B01000-0x0000000000B2F000-memory.dmp

memory/2156-3-0x0000000000B00000-0x0000000000FB2000-memory.dmp

memory/2156-4-0x0000000000B00000-0x0000000000FB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 3bcdaf8aa8a6f0ca2f613c8c14bc5a6e
SHA1 14e7cff2628e339009821bdb95673a40299149d0
SHA256 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
SHA512 d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579

memory/3376-18-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/2156-17-0x0000000000B00000-0x0000000000FB2000-memory.dmp

memory/3376-20-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/3376-19-0x0000000000FE1000-0x000000000100F000-memory.dmp

memory/3376-21-0x0000000000FE0000-0x0000000001492000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\87f041225b.exe

MD5 6ec533d4b68b9b65f45160ba3bfc9422
SHA1 488be541bd2b2e42770c9e2bae875f6f97f51cfb
SHA256 dbe5d0f7237469a486de479008f1abca3d06a8a2b0ad64f26453d00e63000258
SHA512 99ceac7775eb344221dbba859cc37834e9b553b9b6eb27fa6dc807b5b4fac8016b2802a66cfba6a4f092feb05443c6642cb3fcb400befacdaad3747c6ce46cfc

memory/1504-37-0x0000000000E60000-0x00000000014ED000-memory.dmp

memory/1504-38-0x0000000000E60000-0x00000000014ED000-memory.dmp

memory/1504-39-0x0000000000E60000-0x00000000014ED000-memory.dmp

memory/1504-48-0x0000000000E60000-0x00000000014ED000-memory.dmp

memory/3308-56-0x0000000000160000-0x00000000007ED000-memory.dmp

memory/1504-58-0x0000000000E60000-0x00000000014ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/3884-66-0x0000000002EE0000-0x0000000002F16000-memory.dmp

memory/3884-67-0x0000000005B50000-0x0000000006178000-memory.dmp

memory/3308-69-0x0000000000160000-0x00000000007ED000-memory.dmp

memory/3376-70-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/3884-71-0x0000000005A30000-0x0000000005A52000-memory.dmp

memory/3884-73-0x00000000061F0000-0x0000000006256000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ywmihjvj.ivf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3884-72-0x0000000006180000-0x00000000061E6000-memory.dmp

memory/3884-83-0x0000000006380000-0x00000000066D4000-memory.dmp

memory/3884-84-0x00000000067E0000-0x00000000067FE000-memory.dmp

memory/3884-85-0x0000000006800000-0x000000000684C000-memory.dmp

memory/3376-87-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/3884-88-0x0000000007830000-0x00000000078C6000-memory.dmp

memory/3884-90-0x0000000006DB0000-0x0000000006DD2000-memory.dmp

memory/3884-91-0x0000000007E90000-0x0000000008434000-memory.dmp

memory/3884-89-0x0000000006D50000-0x0000000006D6A000-memory.dmp

memory/3376-95-0x0000000000FE0000-0x0000000001492000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 847d47008dbea51cb1732d54861ba9c9
SHA1 f2099242027dccb88d6f05760b57f7c89d926c0d
SHA256 10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512 bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\f521ed51-eb85-4ef4-b549-09093b543900

MD5 f968937fc0b130cdc0195cd8f18ca3bd
SHA1 c8ee52fd6212dc4ed5787a017f9501105d8d959f
SHA256 c8d0707004c618453cbdf5e655d950e48c4c1b5fec9538101d7ef0722b3f339d
SHA512 9993e66206d568203b160ae548e31734b55fc6dda1ffe6deabf9b56d5071271835051d96d15d3671164525aa539dfd4f16350f78f46b498fa5af2fc75a0367a6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\1c4b12df-5751-4602-8e2a-7717223b67ff

MD5 dbe702f26d274091d6b063b3edb97706
SHA1 8e4eb33acfe1e87aa128bfc89cc7f11cd1c7c3ca
SHA256 c10fab645e0fad14125653841cf4ccc1adaad1dca331286469a81dc3771fe84c
SHA512 ee1ac1f5f860ef5eabca9bec7f643a08f58abed6230adc11599383f098b9e8eea32c0c1dd5ddb9b160f644185df744bf2e3bcfb6a6f1a6a20d9506e4b1e835e3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 cf74faf971887635de351cad6aea79b2
SHA1 77db5a89add76137e7f5571396f0c3c77045d370
SHA256 5159fd9fcb8e5987111b9acc8cc4331cd4462b6c36c5f52811e205a45ad63d9c
SHA512 52ac955d87469fe8806032d5bcd22160738f111927362d302a247e129ca5203a4f939ab953ce38ef19a791f485f9537b9f8a8692ed87a765e1c8eb27639bac87

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 be9a43b543edc536a5079338ad138afc
SHA1 28e1047b78d229ec8caf26653838fddc6c22fb75
SHA256 610cf8207e4b2888cb8d0845178bacf5da00e13e9b27facdb73c658372d55902
SHA512 66c7a5d49715c1f6d65916ad9935791e11dbf1ac3bcd887a54b866d738d8c6d1fc6fc1bee82f05dcb93da5ec50c25cbddcc9ad7cf1d43dcca9c19b536cd6f70d

memory/3376-338-0x0000000000FE0000-0x0000000001492000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 5109d8466591469cb13fba78d3a28713
SHA1 b5d34c3bed6c923e8ade507fef2b51946567a981
SHA256 89b8c08fb4418c976fe78c72a1b3765e64cb49f4760b65c877dcc3cdde7dd8e6
SHA512 405063f482de89d3a2157b438e3c3f64a4f57c754de9a77d01cde12f9e13f5a559236f59d49eadb808028787236026e716914f3aa5e2061acfd837e01c1b2766

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 c68a1e4efc48fe015061b889bfebbea1
SHA1 2bfdcbcd8faf1a9d9e0f49f48abebe32ea083606
SHA256 f788c37c694bd809a69bce447b313824820f3464d1e2926f60ec1d1d1d55d7e9
SHA512 06ea40c3dde4b68ab54a84a652617d16d8aa6b0b1c6629147ae5e75812cbc66c6e685b44dc5618d6af4d7e60a8ff1af1632639b065f814ca3c5416daa7c99522

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c249501baeb1fa791a6c4f42b4d09283
SHA1 ad054d5bb38bd4c14ff7ab46b767266a7a7d036b
SHA256 29decef71790123390e73ac35d28a9957aea45e10c8791665e6d9d20ba3e4caf
SHA512 c20e06c2c8da7af9d14ccd8b0a3f82412725deca8dd0d243dfbc047d9db7829de0133d699c0d11b91cd0d669eaeecf1a31f4b8f42bf5bd74f52684fa1913642d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f4a4832afffea4d2ece3b7f71cedf1c7
SHA1 c97f3013b8757ec318d1d056a80d5838ca124951
SHA256 11f8fdc7e418524bcbc54332c264c4551259ea2ba2eb680784dc8484efed22a3
SHA512 041cacbbb2f127778850dce0c3a58ad33ce064902c3a3c086f2a940d8c10c0a09a5356bde5316ed51dcb89b97a563b3e37f80aae619959f1ab365ef8693b61e4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

MD5 88bb19e7ee19ad3c8ad4c6dc712a4eb0
SHA1 1c607003b270e88f72f06b30d82189f661824501
SHA256 fcf3f2bd981041f415fca7e24c068d4027891da96583ac689cdd0bd498a40480
SHA512 b1a1e374f8128e9bd36f042e2e36a4dbf8c6ee4794d96bf1e6b10bb6287b889e657635d6b407dd451a9880d56e5e208f85bb5caa1922c921646fd9e5b92ec9b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f9664c896e19205022c094d725f820b6
SHA1 f8f1baf648df755ba64b412d512446baf88c0184
SHA256 7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA512 3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json

MD5 3e5d891c428e0b8037bd56d6006c6ee9
SHA1 a74674cddb66fe3d3b97e69a52001cc37f969e1e
SHA256 bf019a9f0a8ae902552c7b5c9ed9f9adc9e91c12566318cb725471a1da316ed1
SHA512 18f9a389d4bad902936a8ef85629e1adb20428fb9ccdd793485eb18dc54c9d32722364b8ae44e55cb9aec8656ae1dab8bb470d63704ed534a76109bfffc28b03

\??\pipe\LOCAL\crashpad_3976_RDCPDKRBAMPIXWZX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 0858c817b1070f1e765c8dee383217fe
SHA1 9d1359e988aaa08e5d0b1cc87cc0ad096fd5670e
SHA256 e5157506ce78208b60d78755e8fd5cede3673e4601e54033664dca3965b9f563
SHA512 fe874a9379bc8f922fcaf877c7410f51bdccba2bef6cdfa1b65d06d35bf5d89c21a4527cb9b26dd65d07779021128c63c699f2b2e424add08b22ef25807dc815

memory/3376-460-0x0000000000FE0000-0x0000000001492000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 81c11e8c912440ac411a7477a918bbcb
SHA1 ac4422b04bc25ad54b45a01891a4853b45939c03
SHA256 614911cf4181fa201098b5aa7a427efedc2d4df4411de065f4c0cf5d6367eed4
SHA512 de844954a22f77c267bf18360a5b3538dcc6d2e808418a81921498ae31695956e76110f9d864a195a5034a621a9cbe2b0534bb77d5bede3803021f743adf1a01

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 61a23273de93e51571c899e10aae1b4f
SHA1 6bfd399a4358f6717a1141df74b5575d65722168
SHA256 3665377fa7b94e209f0c988810a7004b4edb6dab2c0cf85cd410573096abc234
SHA512 e4bb4666f7bee17461a30f1710d11184cce4989f87f83c35725fc8be5a72795bc9de5aa8150115443a7dfbe086905a169b9dec999ca097b92a08269189691995

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 1dfb711a33d5112b9c3826a681e033ed
SHA1 59e35a02ebed98c708e0e55cd4e7f71a801ec2e7
SHA256 63886ed2bf1c4c2461689e2d392c7d6c22bb20bae80ed69a86215b6ac2a89de1
SHA512 442c75f0dc3fa95434b7646daf70e29189289dd2bc94291f888be0bfe1e5f06e9483ec346188f5903d24ccf25157f58b981c122de906d4cfbaa77bf4f8d10f19

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b628d2e2d0277c37c7e47243768a06ef
SHA1 2d24598dbb7837a94c15b299e82072132d11ab3f
SHA256 6fa019596b06796c7573fb56356ffdc1c84bb97b6f08236feee5fd5c6a19786a
SHA512 7f01ecb1c7f4ad89f71d276e04ee892186389b441a9a96538d380099bf6d19769f7ab4f59fe3ca9a1c6f41fe7b48c8e4e1b3e8f43cc32e342904e7b387f31048

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 642b261c5b3464d898bc74c346e2c8de
SHA1 616afdeb8339c1b85849e13c0c10166e161d01ef
SHA256 4533fa69a9c797b502763603ce99cf67f7a0023d971d5f9d5258802053c33c0a
SHA512 0498957cbbdc7d587d65a8988a211f57401955141fafa75e5cea0e5a47b741892d2d15a6cfb230f5c64c2036a42823e2e2190f7f55c1f750e73dba603dee0147

memory/3376-651-0x0000000000FE0000-0x0000000001492000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 1ebc8578adf46ef28cbc0be6b84fd3d0
SHA1 4845289b1fed33830b4cc767ab657df898690caf
SHA256 c0ff5475820baf59755121b38d3ae7888adbe7c663a7257e46d1a1bd6fd5d66c
SHA512 9edf55b603bb38b7000bd28cba0f49e225710f8404b8cd1b2cf91799e75192ac64cce5d73d1f265d97b9dcc2277b6ed1a917069a844c9e16593714aa0182d67a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4

MD5 a06f87f85252618d87e520721bf3ba3f
SHA1 c0c39704e37d6a657c96a105b7c1557f8cb633f2
SHA256 bb17526cee6333d3399afe333875b2e99d478a25f88d21458ded647df42c2bab
SHA512 6b22983ec2e9bc2644abede040cf0ed274df094a0f7a574267733512e0e99501ced553b70e1a6eeecec728dc22f5400a6791290c7ca1346632521fa52da18dfb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 d582a4cb57f57965e816ceff618c661f
SHA1 914b1cbca2d203582fbce71a35edc516a2268871
SHA256 2e5f30bf9ce92f4198bc25b250409ff55428b826c9e9ee9cf37885e5f94d3727
SHA512 64c387a3cb55ac22b6ca2974896e9425be8def9047ca017d2d54d32b9085af5f7fb7f7ec18791d5de185e3bfbcc5e88b3699466e58101009f4ae7f341dea9ce7

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 5581d9f3a1bc73adff83cc7767bef539
SHA1 ac33397ead08e4abd7435dbbe03769868d70ad48
SHA256 8c8acb628e6836f94437e1e6812b53b454aa7c0fb19fffd5d545cd62e6b89c51
SHA512 76e6a174e10fea798f74dc50a7372ea7dc8be096000af5763864f3c68043737e10bb774d68fb8b270273df9e9aec0ffd7f9abbe0b243921b0a3e3ebe068f2e99

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 cdad1718d324a1dd453a1686ef88e0e5
SHA1 c58ebe1a474bafe207aa05b32cd6119dc2837deb
SHA256 f6e68691cfd932a520a5e561a9bb10ec7c4084fcd667171262d96fee663ecae2
SHA512 a4c00f09fcb4a06c15ce4cc8b67f6b3e9f57dc2fe63a5b55524c514021da7ebf97c9535e43925ef0c50ee915b2f685bfea2ae4807a08c793b4f4a42b0017ce8b

memory/3376-746-0x0000000000FE0000-0x0000000001492000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 faa50652b35a69c0bc4098fc012a7fcb
SHA1 c79f0fe453065a9812fd96af9f2e68d2c5da1c4e
SHA256 99e2b7cf934148c0bea6ac6068882f36e3732783ce08557a775b4aa01cd3550e
SHA512 77eb1a307d52d2f81fdea26ce58857bd956a01840d18a6ee40d571583dc95a21271ccdf7e820b99982fa3634e32aaefbb5e60de4ea06b1356889df02a1846a76

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8cffa78330de8fde3d854db9d3301948
SHA1 76ab7c3233205abdb706a6a0f96f79fb0e5a7d85
SHA256 ca9df6524d16740375da40a61fdea0a01e5a30a0da940727c009c86ce533e245
SHA512 45274180d7ef5f7cc08740a7480b86fbe2ad6fa8c78ce23ec8cb41c57a862302dadd15a521fe67543f4dc7722acbe494424e8cd57cfb50ade0cfc58cde093352

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 490935c022b12d268daa4e75f12629da
SHA1 98bf532850dfa51545a138e8535481394ffcb484
SHA256 c62692458f5859b99bb14cc4c6196b90c46137d2c611fff3b3e551b932ccde77
SHA512 9dda021f6bdf7ecb30ab53deb66666ead439dfd25aa47c30bb07a0b906f2b587ee0531b944247033077617429420cdf87b1944106a1dc96f701076174f39d8cb

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3376-1333-0x0000000000FE0000-0x0000000001492000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4

MD5 78d84e421885c2b3b733f1ca19ff7b92
SHA1 f6b99dc248cabcb363242781f3698a16060b395b
SHA256 f6965f9c12a478d68091fc9b64e3c6f40b6dbe2453d245d2eedf5e489efc79f3
SHA512 9201fe0e1e465eb6bc0dcd0791336f2bab3347aa0121c794c51eb3f27079b5d9f4c2fddf6fbcd10358641b1b63316c96a8b2f573fd9a96aef8aad5b8a337f0a6

memory/2820-2006-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/2820-2040-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/3376-2216-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/3376-2917-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/3376-2932-0x0000000000FE0000-0x0000000001492000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 c16b2a9592247b7aab09a5533d2eacb3
SHA1 8ddca4c96b57f88349c99c271c5372dbdbafc026
SHA256 031275e1d991212c0ba35a3271e3bf9c7d7460181d739229ee86518643b13317
SHA512 38fe9539ca1df35db28259e46c4df0eaae759161204dad84f7566ac4df4d0d2c8f4967c944d00792603b8f38c959dae972957d92093502b18927e01a06606af1

memory/3376-2952-0x0000000000FE0000-0x0000000001492000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e0891afcc98d876c8c9049ffd8c3884b
SHA1 6434190acacd6cd0584196d1ad38e2390e967cc6
SHA256 a1beef9c95820ffcaa0a61a7675aa2ed77e968c84ee280ec0c80e7c60f557dc2
SHA512 ee51614178e3fb8224bf66b9d1668f3cbbaa94a9e0e2d33a7a5e1c41cbf8393fadaeba8e0282d09f129245c897a32ad8a08c97645b00bcc18bfd942849869725

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5913ad.TMP

MD5 5e08e7ee3dd4f8d6a602b8d829b10f1f
SHA1 27f61fb6bbf5922f9b61624dd172c7031e1602ff
SHA256 afccf68e061c56747d780e0dc8693be23c42535954db003003603d709f836e94
SHA512 0024a2295c18331f4bdaa9d5cf59c1e770f5d7264043acce1f7265395c0a997cebbefd8f37056b99e4c22913c7c3494507408c2d8d84a867e7be5364bcef4683

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a901f9a928845d11ad1b6787ed8af6c5
SHA1 85c0c99a10083359966809d7f4eaa2fe7c187693
SHA256 80cc49f89d1da7b01783718d35f09be680feafed2147776ad77ef4134f34f54a
SHA512 e5313503689f3a832076aca713cd938cd02eefc8e1a9ef9fe0833ced42b8c89acd5d5d8e215a3a90d53761c0800fab3cd43cdfd594acec9ada04d6ca487903a3

memory/3376-2968-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/3376-2969-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/7020-2971-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/7020-2972-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/3376-2973-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/3376-2974-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/3376-2983-0x0000000000FE0000-0x0000000001492000-memory.dmp

memory/3376-2990-0x0000000000FE0000-0x0000000001492000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 98f46644026a4b50f1c923266b337ca5
SHA1 a0e930dc2671d0bf38ae17992fa48769cf3f7c50
SHA256 ddf76dc154a7a25b773e38876d866a8b953dec0e229ee1fa664862b6740569c7
SHA512 998c11fdcb637990cf46cfb43263f9d16c3e636d3ad9c0fd445bf3ac6c1c94bdaa60a088c5128ef1161673c732ea9fbbcf4d4592446018ca5b4257c732095026