Malware Analysis Report

2024-10-23 21:52

Sample ID 240911-c2hf3sxhqp
Target 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f
SHA256 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f
Tags
amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f

Threat Level: Known bad

The file 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 02:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 02:34

Reported

2024-09-11 02:36

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\5e7edf2ffb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\a18fe6e015.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\a18fe6e015.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\5e7edf2ffb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\5e7edf2ffb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\a18fe6e015.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\5e7edf2ffb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\a18fe6e015.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a18fe6e015.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\a18fe6e015.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\5e7edf2ffb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\a18fe6e015.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\5e7edf2ffb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\5e7edf2ffb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\a18fe6e015.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\a18fe6e015.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1060 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1060 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1060 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 748 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\5e7edf2ffb.exe
PID 748 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\5e7edf2ffb.exe
PID 748 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\5e7edf2ffb.exe
PID 748 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\a18fe6e015.exe
PID 748 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\a18fe6e015.exe
PID 748 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\a18fe6e015.exe
PID 748 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 3816 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4588 wrote to memory of 3816 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4588 wrote to memory of 3816 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4588 wrote to memory of 4480 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4588 wrote to memory of 4480 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4588 wrote to memory of 4480 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4588 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4588 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2700 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2700 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2700 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2700 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2700 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2700 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2700 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2700 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2700 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2700 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2700 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4588 wrote to memory of 3204 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4588 wrote to memory of 3204 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 3964 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 3964 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 3964 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 3964 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 3964 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 3964 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 3964 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 3964 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 3964 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 3964 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3204 wrote to memory of 3964 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 2348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe

"C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\5e7edf2ffb.exe

"C:\Users\Admin\AppData\Roaming\1000026000\5e7edf2ffb.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\a18fe6e015.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\a18fe6e015.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98f46d37-7eb1-47a6-8ecb-678c6f423d8a} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4900535-6336-4fc3-a711-a5df8c96c505} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff780046f8,0x7fff78004708,0x7fff78004718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3144 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3136 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {140ac495-29c3-4516-b6dc-856dd1fc7687} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff780046f8,0x7fff78004708,0x7fff78004718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3604 -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 3588 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {169843bd-d8b7-4082-bc93-ed105813d4df} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3760 -childID 3 -isForBrowser -prefsHandle 4120 -prefMapHandle 3596 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80723de9-3529-4b03-acea-2113dae73be5} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4700 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4688 -prefMapHandle 4580 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {280cd765-67d4-4db4-bb31-b2fd357aa2e4} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12808707999866091056,657303998183836494,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,12808707999866091056,657303998183836494,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,12808707999866091056,657303998183836494,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,10799484367671523446,11037391841005517617,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,10799484367671523446,11037391841005517617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12808707999866091056,657303998183836494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12808707999866091056,657303998183836494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 4 -isForBrowser -prefsHandle 5524 -prefMapHandle 5632 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc7b248e-08d4-46d2-a6bd-1aa1c2434fd0} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5812 -childID 5 -isForBrowser -prefsHandle 5732 -prefMapHandle 5736 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb9f9489-ab3b-4e17-985c-b693d3a998a8} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5916 -childID 6 -isForBrowser -prefsHandle 5924 -prefMapHandle 5928 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1068 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e37c694b-1531-42cd-a3ac-eb0dd5c4a659} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12808707999866091056,657303998183836494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12808707999866091056,657303998183836494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12808707999866091056,657303998183836494,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12808707999866091056,657303998183836494,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12808707999866091056,657303998183836494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12808707999866091056,657303998183836494,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12808707999866091056,657303998183836494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12808707999866091056,657303998183836494,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 59.238.56.23.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 8.8.8.8:53 213.24.239.44.in-addr.arpa udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.206:443 play.google.com udp
N/A 127.0.0.1:55165 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:55173 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/1060-0-0x0000000000B60000-0x000000000101A000-memory.dmp

memory/1060-1-0x0000000077614000-0x0000000077616000-memory.dmp

memory/1060-2-0x0000000000B61000-0x0000000000B8F000-memory.dmp

memory/1060-3-0x0000000000B60000-0x000000000101A000-memory.dmp

memory/1060-4-0x0000000000B60000-0x000000000101A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 656dad33ed55f336051883f756e7d041
SHA1 83ff37e0f8badb060900511002fb14e8c4deade8
SHA256 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f
SHA512 ba950f704229070f0515b163630d59fbb9b2ba1b8b775259d84d3828713ab879880a1ee9baa4796898a29a941943868ec8ae111ba38c006fdefb9e12af81316c

memory/748-16-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/1060-18-0x0000000000B60000-0x000000000101A000-memory.dmp

memory/748-19-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/748-20-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/748-21-0x0000000000850000-0x0000000000D0A000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\5e7edf2ffb.exe

MD5 6ec533d4b68b9b65f45160ba3bfc9422
SHA1 488be541bd2b2e42770c9e2bae875f6f97f51cfb
SHA256 dbe5d0f7237469a486de479008f1abca3d06a8a2b0ad64f26453d00e63000258
SHA512 99ceac7775eb344221dbba859cc37834e9b553b9b6eb27fa6dc807b5b4fac8016b2802a66cfba6a4f092feb05443c6642cb3fcb400befacdaad3747c6ce46cfc

memory/2216-37-0x00000000008C0000-0x0000000000F4D000-memory.dmp

memory/2216-38-0x00000000008C1000-0x00000000008D5000-memory.dmp

memory/2216-39-0x00000000008C0000-0x0000000000F4D000-memory.dmp

memory/2216-40-0x00000000008C0000-0x0000000000F4D000-memory.dmp

memory/748-41-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/748-42-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/748-43-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/748-44-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/748-45-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/3916-61-0x0000000000660000-0x0000000000CED000-memory.dmp

memory/3916-63-0x0000000000660000-0x0000000000CED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/4588-71-0x0000000002DE0000-0x0000000002E16000-memory.dmp

memory/4588-72-0x00000000058A0000-0x0000000005EC8000-memory.dmp

memory/4588-73-0x0000000005780000-0x00000000057A2000-memory.dmp

memory/4588-74-0x0000000005FD0000-0x0000000006036000-memory.dmp

memory/4588-75-0x0000000006040000-0x00000000060A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2piyqq3l.wb5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4588-85-0x00000000061B0000-0x0000000006504000-memory.dmp

memory/4588-86-0x00000000066D0000-0x00000000066EE000-memory.dmp

memory/4588-87-0x0000000006700000-0x000000000674C000-memory.dmp

memory/4588-89-0x00000000079C0000-0x0000000007A56000-memory.dmp

memory/4588-90-0x0000000006C20000-0x0000000006C3A000-memory.dmp

memory/4588-91-0x0000000006C90000-0x0000000006CB2000-memory.dmp

memory/4588-92-0x0000000008010000-0x00000000085B4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0446fcdd21b016db1f468971fb82a488
SHA1 726b91562bb75f80981f381e3c69d7d832c87c9d
SHA256 62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA512 1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

memory/748-115-0x0000000000850000-0x0000000000D0A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\cafdf567-e37d-40bd-a3e9-8dfe61d81e76

MD5 d96575e91be24c28c044de53e6165e32
SHA1 089e4a19ebb1e86f71ddb2ad7115f8fa2e42280c
SHA256 2d56899cbdc9a240f915521e19219d486aabd44d68620e33beada1cb9f53e845
SHA512 df1d9eb7d3c1763cb61d2648e8deae54ec4b173b6f3dd73fdb8387c88c806dee1c74c67438ae50393a174a87db082dbc045ed72fc67aa597562d2fcc3a563cdb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\1cda92d8-fd4e-4f32-bd74-d49c21196c1c

MD5 825d780b9408dfbc56b793d8d810efb1
SHA1 093b38a3e6afd81f43370d47f964202d62d9d1af
SHA256 13a4d72c9277dc6970c7a04eec0e4ee83ac1365030dbf0461353eb0827ee6a91
SHA512 6966d1cfcafb02155b56334f3bc40ff30e0cb10bb2f845c525195a993f30c654be1ddd1ffd52ae39253b63a074548b8cd90cfc7c425a3b0aeda13b5da3e955b1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 533c8013689986d89106556912a66505
SHA1 fcd53af96aca58682fbb54c51465a3dc7fd02ee8
SHA256 47a3bd07e6bba7374a21c8125b080e134daa09e69153bddd9c84031ece513175
SHA512 13ec316509a94c4f566944a770be8c2e9221dbf2ec31a87d953077132596734c5d72d2623837f4d137273fb9d7ebd08c68cc3ff7cd43293ab3f41aec14f1b332

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

MD5 49a1cd6f38a739d8d13b9c47e40597e1
SHA1 455eeb6ed576725c60d358a47d91a39fd60d0c21
SHA256 341aa1adf9fb65eaa8c60e82ac836228781f8a352219656626922eb85d064d57
SHA512 c5bee669c56e216f41bcf7149a4511c717fc8283400cab6f6e84c12e7eee3830f0d64cae889a1f3b1af42a21bfa0f29de297cbb492bbb924fc89cfc686259217

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 338ea86ead3bdc42f13d17d0619b999e
SHA1 a4c8ca6f61301241b6b46be310dbcbca0a117d59
SHA256 056b4d1953862455ac36ef76bc5269d837dfcf366aa99fced53976807131198c
SHA512 aae9f2cb132e27e0673d87661fba902a816892cdaa225645a226cf0f7b15a1f19168c99f133daf096f15dd267a2eb7f248aa3f80adfefc914cce0c495e0982e6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 f9353e4640e4ac930f1678a5e2816d06
SHA1 580b93727adf730ec0d7c389f5ffe8e85a543af8
SHA256 231c85754419ff61588aad2eee6dcf14bd03a2795609d8903f5c8e4728005c4f
SHA512 017e468400b27147e47fe923ed4e7c6b3c87fc1ef30158bd662201b5c3f0296138dfa584c48c41e427c0cde86c859de1e7620c83b92baee0627f8f614c6b097d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json

MD5 b11e127b6dd9019234d96b22f7dc2f5e
SHA1 5df9da9211368b7dc078885aa944412f0f1e88c2
SHA256 3aa0ce6aa68c4a3071f274be94ee63c4fb8b65c785d00a0651da3b76d6da71bd
SHA512 a3bc038a3fb18b8549d046a41f3f88453597c0ef3703107a8551577ea603e0dbe00cadf0dc294d7f29f86cf99d4908e4211de92d5b6143b70a3c9eaecb3955aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9b008261dda31857d68792b46af6dd6d
SHA1 e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA256 9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA512 78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9f04e2732fc0293c458fd7e8b02091a6
SHA1 b6f68bb7380e310d962c3bda2422185f2167b328
SHA256 8dccc911fc3d08c9b23e099216f114893bb87994c464442f41b85f4c2eb3404b
SHA512 019d08c1645b72e419c95382d6a5f1aa49163075438c56c6479f02492844bc94bfcd1339afead0393de877daf2ae68b6d25aa687ada5762a2cfeeccd60ee242f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e1e1c3607c100351d59e55d6f69df545
SHA1 adea1c086c2cc43e8ac884fdb06ed6d5f07df5e1
SHA256 1e3c1e1d5b8770e9aa5dda870aa054e9cd0c9c34a5569a156877303b2489ef64
SHA512 ade81b7b5c716ee6ad2240bc3f358890537247f2830f36e55f5615dd682e692889db77f9547291c3a00980fe3ba708758d23ad6d08761ee913a8fc71f1c33686

\??\pipe\LOCAL\crashpad_4360_CWNIPLQNQLOFYBMD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 2918a56a816918f1cb9ff49f8e946919
SHA1 c4f377c01abc282df94171eae7d41a317da98088
SHA256 586c99f970145b75ec349476ab6be9d8ff3106e5632649421b59271ed85b3212
SHA512 65438e4f536b91c407ac160861fdbe95140faa144cd465dd48a88b47f3b43ff7b8ca52600600a09e0d8fe2fb5d96a9b5d99952282f1565f46a16023a5f1f527f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 89f34a555ad11666aec121570e028eae
SHA1 0eb19d460f768768039200af37a4b3328a19bd43
SHA256 b24129710007053dd62da465c00ba31fe3c1ec5af94a56e471cdd321ab6cfbc2
SHA512 f0a6c82728653413e8e05a3a6cc13d433a125357f7344b9c38e2a47442f5dce44a1ee2bb329c5ba90884dca77dbb8e9b68da1a527178a8e583ad740f5bac2de6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 f5f5b0601af01c848dd4290338a47757
SHA1 aa344fc737fff7941fe1b1c7d0858fabd2d3f0a9
SHA256 bb6ce5900a05cce10305fa74cf7b2fe46af91dd8f9bd7e0b4b624810d9a86339
SHA512 3987629587d47d04c261917d6b658f4944ad9ee87d369a458ad1814cb2fe01314749224bdabd6bea127ad7f04f5eec82247068bc6a61fe43d5d61115425272a1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 7d2cffba0d132140ac23fc674cc3c125
SHA1 1ec57c104e6522e0c1c92d26d1c6b93c6973edb4
SHA256 517d5798d5d8e65277464dcc3ec9b03756b0668a20f6b8fff7c8d5fc4e7d869b
SHA512 df1a748e736e90855a3d12a0b56ea12ed992f6523f53e680d070f89cdbdd24e8471ad7e5990c6f422b29300ff098a9df2e5c18970e6dd855e2af986ec7a4a6d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/748-616-0x0000000000850000-0x0000000000D0A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 9e94300a0997d3de7a4af2ca92ab0174
SHA1 e8cda31fb06102349daa3a2ae34ef1976d999d6e
SHA256 c266cc103da858f42d5f0fa70f400bd2e7526c9319213f968d84a1f665eea1c1
SHA512 c182644459c0e3d3512c61cd46373b19aee1ae78d00e9eb021ed195202ce157428a9dc0fb9c1cda617be47d7cb0b869845825f825d93347f353fa80c1a48bd68

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9c4944c55a1ee1e183a780fa2dfaab23
SHA1 d23a112521dacceeed17424e1aab16cb3d8e0b49
SHA256 7caaaa92f69c2249f682abb924690c1fad6db7f62b5e5055eb467bb0073346fc
SHA512 e8065be32a460d306c055009e92255a37639bd2a90bfc0f13bbd09ed10b816522453249390c73b99e5bbb802f2369afcef9d2de80155293d361d629a067a8a02

memory/5448-635-0x0000000000850000-0x0000000000D0A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b067430c06cb4bc797850a7738ce3ebf
SHA1 52df4e5fb3ba3d266c2d11bacabac1917cfe2e7b
SHA256 1946e5cc858e31765a6ef6cc1e0cda487248aa5896e201f08c790bf7b42c41c3
SHA512 273627f5bd724b24e4ad787831d2e33f15190a048b2a5eac22996333e689f57ee82603a8ab4fcee596b006863cefb7f2ffd5e74abc992280c178192d3b30054d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

MD5 3d3b74aa48bdc86ee9230013af2fc15c
SHA1 f51b47d36de8af10131e9c504be51df0074f28d3
SHA256 5e3d56f06e425c4d150b670ba239a45d573b70b2f10f74f07ad1423f7a93fa25
SHA512 c4118916b3647a3aac5e253c94b846f6530be016c7c3b2fdcc6e9a504650ad102245136be2051f7650f1216e56b7b85a5a9e2028b8ac9d8881a8a00c31dd55e6

memory/748-656-0x0000000000850000-0x0000000000D0A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 bfc631a067572604760a6984ace287c3
SHA1 9f539fc24234920af9ad5840808d8d551b0e2b97
SHA256 aa64acbed8b2b4fd71814cc56a8b06417c6d0b114ef9d755d2bba3be3d85a7eb
SHA512 077cfc33ab49078e245256f247b117a6dbedfbaf385a995469fed0be06469d33d65de062147e454a223ab13055a72be20f7ac80d6d4844b47d5ad95824b7451a

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 6e95444e916268db3d4dfe651fa423bf
SHA1 dc843c2a5fb957f8eefeff24ab9008179c1bc8d7
SHA256 7ebfdd5a541a5844aa592dfa10f9d415a42261a873c63087d982e3900ab91ea7
SHA512 8800502812db73a33ba78c0660cfef3ad8992d81303e8a390ba168411d622086569852e5ab6004f849289eeadb84f2c0f2e1fb3af42d51bfaa9c8f11bc3246f7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 9a0f2aa6de56a0de4e5cf45bbe59a9e3
SHA1 b9616a89cf1c969c4e47d0f6d38bba83be410a14
SHA256 a38b564e6f310e415355147f45a4d1227eb630f0a6ebb549f406780691b508aa
SHA512 4afd635a61433eb11c785fc755e37a9e1d843615b0ca14d7d22031ba0863af43033e9f03811a12c59e0207fcd27149f983494d3b8de4587b7dbfe2a8555bab74

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 7357cf0202213aaffa1469bc1d7550a8
SHA1 6adb6ad6cecf582e87bd3608cf5597b69912e5de
SHA256 30931d99d25e2f0e1cde04e1c246928f791bbf527957d1b785f0e988dc380dfa
SHA512 1d2c6812a7f9929d4eb6416ca9c36c65cd63da89d5fc17b09976db50564100fe90726c50ab5ae846de7eb477b0353d4fcfc131767b48418f3d537001da18a501

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 5239be90cb256801218c38e9c0627b31
SHA1 281bbff8cdd3fc4edb09621a60d449da12e196da
SHA256 2192ef9d7d22529aa035b5523665acd479111df0ba23ba3fb48c4727b47515e8
SHA512 3920cf4d344319f8fd4e44426302aaaae54223d1150ce4684109971a1c6b9394b19c3c4d3a240f9faff752f22be34b650ff0d7e2a507eebd2b5ec59e0c6985fc

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 efb1f0c72b726cdcc3bc60715d048850
SHA1 090b87c38e702c0d1a322f219dd282d200bd79f4
SHA256 46b3d6598c679931d892ef25d0e6a36172306f584e0b1069ff55fc44436dcd14
SHA512 af8dffa4a5e76cedc80940832d59aaf8acc684520c5ebad7c944301368587724f85550412b01842ebd82750811d9845af3d5b6be84cc6ef53ab96fb2781e1342

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/748-944-0x0000000000850000-0x0000000000D0A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 ca2c2759eb809526c2a0e3da15abf1a1
SHA1 8aac7721ad5e8379f87f4b82fcad895a71270faa
SHA256 a062494e7e7438f2e2d4d8449dc3f500588e49f466ba8963c6fd01a51ebce5a3
SHA512 e7374561318acaad7b5734075f56a30c131f636c8674cbc53b9e9c142f8398a320ab8751b344112e4e5ef2d4ccdf67d35bd14a681b578d65c4af14729208548c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

MD5 72484999c52181f633662d4bffb1e35f
SHA1 bf3518ba70a445714367c30f055a34f91d15bb58
SHA256 08539407f794df45b6baba62f834ccd75292968b66b751e806f28ed4c686ce95
SHA512 ddc241520423fb7705869bcb9bd36c22015e1f99ab253f12e282ee135a6b233547a046c2b68cb4f367df8bd37158e1406a7c8713e5c79c3b41577b5d80aae4df

memory/748-2146-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/748-2821-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/748-2836-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/748-2847-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/4996-2871-0x0000000000850000-0x0000000000D0A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 acaf4127c7b8d02da6d78fc3bc4b3d7e
SHA1 75e3b5148a098c6b5fba620ec1cb35cf47d0baae
SHA256 b36df29a2390ef2de257d9dd1438cb3ffcec791dcec91c104945688d8bb70d21
SHA512 e4167e123ab0210acce3db4a738a168498860d4f7d20c0b4b3a3f1cab44995bd7ac81f8c6d9e63cd6012e59fbcd176ea4ca0f4059a76b75c82dfe9f472cc234c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3bb49f3b1a5c0d7db496c5e2c6347b4e
SHA1 cc50626a8610563281a0785cc998b09c56b452e7
SHA256 ad57f73317b0fba9b2c117858991b7c6a35a621fb9a313329bb814d22cb0678e
SHA512 ea2f72a174dfa91605621e9ca483fc3995e685b5aff01a7e9b9376199faadee4b417a014b565f0f46a8757da77fefa80a85145cc9c92120b94886aa6bfe4038b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe596e50.TMP

MD5 015ab7c4c7a40433e3d7154d7f6bc888
SHA1 9dab4400a4b8c3cf26d8926ff4bd7ff670cf8478
SHA256 4c26ca0eca0e4aa508d4c3fcf853023859f2a42924963f2aadf2277ced39b5a1
SHA512 5af0c5fc33a55183efd414ac2bebea460d60f059a6a4dd9e585f3e783edfc5c00af2ce776bfde55c1a3673d179e1f1e122e45b3c0a4d9e4be8814c492eb82400

memory/748-2886-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/748-2887-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/748-2888-0x0000000000850000-0x0000000000D0A000-memory.dmp

memory/748-2889-0x0000000000850000-0x0000000000D0A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 02:34

Reported

2024-09-11 02:36

Platform

win11-20240802-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\23d6aedebc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\d109cc0999.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\d109cc0999.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\23d6aedebc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\d109cc0999.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\23d6aedebc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\d109cc0999.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\23d6aedebc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\23d6aedebc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\23d6aedebc.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\23d6aedebc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\d109cc0999.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 420 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 420 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 420 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3848 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\d109cc0999.exe
PID 3848 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\d109cc0999.exe
PID 3848 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\d109cc0999.exe
PID 3848 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\23d6aedebc.exe
PID 3848 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\23d6aedebc.exe
PID 3848 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\23d6aedebc.exe
PID 3848 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 828 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 828 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 828 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 784 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 784 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 784 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 492 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4792 wrote to memory of 492 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4792 wrote to memory of 1208 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4792 wrote to memory of 1208 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 492 wrote to memory of 1484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 492 wrote to memory of 1484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 492 wrote to memory of 1484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 492 wrote to memory of 1484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 492 wrote to memory of 1484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 492 wrote to memory of 1484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 492 wrote to memory of 1484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 492 wrote to memory of 1484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 492 wrote to memory of 1484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 492 wrote to memory of 1484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 492 wrote to memory of 1484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1208 wrote to memory of 4580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1208 wrote to memory of 4580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1208 wrote to memory of 4580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1208 wrote to memory of 4580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1208 wrote to memory of 4580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1208 wrote to memory of 4580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1208 wrote to memory of 4580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1208 wrote to memory of 4580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1208 wrote to memory of 4580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1208 wrote to memory of 4580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1208 wrote to memory of 4580 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1484 wrote to memory of 4808 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe

"C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\d109cc0999.exe

"C:\Users\Admin\AppData\Roaming\1000026000\d109cc0999.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\23d6aedebc.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\23d6aedebc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93f7725b-a337-48b8-9198-940eac4cef66} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b953d106-5a56-4038-b709-c92b080add90} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3360 -childID 1 -isForBrowser -prefsHandle 3448 -prefMapHandle 3368 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4b9d563-b535-4c37-acfd-f9a7a0dc759f} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3528 -childID 2 -isForBrowser -prefsHandle 3516 -prefMapHandle 3520 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {013a029e-f83d-4413-b5a5-413f0cfb8f2a} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3744 -childID 3 -isForBrowser -prefsHandle 4404 -prefMapHandle 4400 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9364c73-a1ed-4ea1-ab0a-1a14194b9e42} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5088 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5052 -prefMapHandle 5044 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf6b4ed-c597-472a-82e1-c3157acf613b} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 4 -isForBrowser -prefsHandle 5844 -prefMapHandle 5888 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10c2688a-b9be-4eb4-a4a0-e9d34e6fb8d2} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6060 -childID 5 -isForBrowser -prefsHandle 6068 -prefMapHandle 6076 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e15bfab-714c-44c1-baa1-43cfcc92479f} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6248 -childID 6 -isForBrowser -prefsHandle 6256 -prefMapHandle 6260 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19716d84-1369-4106-8f40-319b3a419e25} 1484 "\\.\pipe\gecko-crash-server-pipe.1484" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 142.250.178.14:443 youtube-ui.l.google.com tcp
GB 142.250.178.14:443 youtube-ui.l.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
N/A 127.0.0.1:49860 tcp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
GB 142.250.187.238:443 accounts.youtube.com udp
N/A 127.0.0.1:49868 tcp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
GB 142.250.187.238:443 accounts.youtube.com tcp
GB 142.250.187.238:443 accounts.youtube.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.179.238:443 consent.youtube.com udp

Files

memory/420-0-0x0000000000D80000-0x000000000123A000-memory.dmp

memory/420-1-0x0000000077966000-0x0000000077968000-memory.dmp

memory/420-2-0x0000000000D81000-0x0000000000DAF000-memory.dmp

memory/420-3-0x0000000000D80000-0x000000000123A000-memory.dmp

memory/420-5-0x0000000000D80000-0x000000000123A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 656dad33ed55f336051883f756e7d041
SHA1 83ff37e0f8badb060900511002fb14e8c4deade8
SHA256 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f
SHA512 ba950f704229070f0515b163630d59fbb9b2ba1b8b775259d84d3828713ab879880a1ee9baa4796898a29a941943868ec8ae111ba38c006fdefb9e12af81316c

memory/3848-18-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/420-17-0x0000000000D80000-0x000000000123A000-memory.dmp

memory/3848-19-0x0000000000831000-0x000000000085F000-memory.dmp

memory/3848-20-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/3848-21-0x0000000000830000-0x0000000000CEA000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\d109cc0999.exe

MD5 6ec533d4b68b9b65f45160ba3bfc9422
SHA1 488be541bd2b2e42770c9e2bae875f6f97f51cfb
SHA256 dbe5d0f7237469a486de479008f1abca3d06a8a2b0ad64f26453d00e63000258
SHA512 99ceac7775eb344221dbba859cc37834e9b553b9b6eb27fa6dc807b5b4fac8016b2802a66cfba6a4f092feb05443c6642cb3fcb400befacdaad3747c6ce46cfc

memory/3052-37-0x00000000006D0000-0x0000000000D5D000-memory.dmp

memory/3052-48-0x00000000006D0000-0x0000000000D5D000-memory.dmp

memory/3052-54-0x00000000006D0000-0x0000000000D5D000-memory.dmp

memory/3052-55-0x00000000006D0000-0x0000000000D5D000-memory.dmp

memory/248-56-0x0000000000CC0000-0x000000000134D000-memory.dmp

memory/3052-58-0x00000000006D0000-0x0000000000D5D000-memory.dmp

memory/3848-59-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/248-60-0x0000000000CC0000-0x000000000134D000-memory.dmp

memory/3848-61-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/3848-62-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/3848-63-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/3848-64-0x0000000000830000-0x0000000000CEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/4792-72-0x0000000002C40000-0x0000000002C76000-memory.dmp

memory/4792-73-0x00000000058E0000-0x0000000005F0A000-memory.dmp

memory/4792-74-0x00000000055B0000-0x00000000055D2000-memory.dmp

memory/4792-75-0x0000000005850000-0x00000000058B6000-memory.dmp

memory/4792-76-0x0000000005F10000-0x0000000005F76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hzhxnols.cpl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4792-85-0x0000000005F80000-0x00000000062D7000-memory.dmp

memory/4792-86-0x0000000006440000-0x000000000645E000-memory.dmp

memory/4792-87-0x0000000006490000-0x00000000064DC000-memory.dmp

memory/4792-89-0x00000000074A0000-0x0000000007536000-memory.dmp

memory/4792-90-0x00000000069D0000-0x00000000069EA000-memory.dmp

memory/4792-91-0x0000000007400000-0x0000000007422000-memory.dmp

memory/4792-92-0x0000000007B00000-0x00000000080A6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 3990ece8196e7f93e84fcde7e6b4debd
SHA1 5e28c9c6f7c75601b6a9bcf45142c48ad1019827
SHA256 27d55963bd21d024a21c14a9eec34b18c9b80f6c60433d3e73f4d88e459e7403
SHA512 e0bfce15c10e937d6e6dcb1eb51c504450565fe9fdc046c534d9839d5d49310f75fe51f805a097ae4e67a3c660c1b75732dd133d1035994a62dcd692a7f1721d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\a9004521-e400-4416-8c6d-8b02f7f9bf77

MD5 212e317c9917558501bb3794de32df82
SHA1 b08dcba6f9ee26e3cc2ea9a41a75c1441355c7c1
SHA256 f57901873eef49dfdf99e959d738beb146e9bd7b276feb5599503dc6bf92049d
SHA512 c7457f4607b3ff5ffbe2e6630787d87f24490df2c00baa6851429146092582f17448c041789f02dff80068af996a858aeb4c94b2839a29b19935ffe9d7cd506c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 e708c210acd73491e9222f3334636ad0
SHA1 1db0c0068cef07a061a491f91a0d1f3e54f23632
SHA256 a61279762b0337a259f129949a591440ba271277df4e9502d787bb6c4b3f0c57
SHA512 d91150e0ace835880d5880b35a86dd1c8a97639f98a7de9ac463952a404b3cb3052b025ff6a79d8f36d55f42592c839131b9cf04b3526f1205eda0585bc771fe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\5c82dc28-f771-4af1-b75a-fe872656b42a

MD5 8867cbd4f627f1ed9474cb58da3098a9
SHA1 57daa9e7e61432a45d98737c9f5bd2231628ad31
SHA256 8d0f4bc4d2b542ce37a9d50b73e9c314fb198c9e3f987391a619d8ca1bc26c7d
SHA512 bd15caefc7c5ee522231358c2b746a7cb01ff1798b3e589b7e12e352dc80993e12415e7bc374488431ec64221a1474602499ec603120cb3e11b2a4331baf398c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 2f57377371fd7bbf68ae4e2eb6399be0
SHA1 6c97bae6ec323c046a8288e012224f9e2adf9caa
SHA256 43dae3e59b42b256a843e1df6a58405919d56f70813419cf515a9544ad526711
SHA512 5b6d8b8f2a553acce0b563f6408481cd2b1f81597635f6cb55ce5e38ae641dbb3368592775b9d50fa44a8f2f3388b53c9323bab93ed81cec018f708ccba3482a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

MD5 0f443e6872312afc7ec08e6b50a60a97
SHA1 160b8dad861717bef829efc7b26d6c5d41274b9d
SHA256 4a3cd96b11b42adb69a764d5baac309072096e46f92072b5ff0747737b8bdc1e
SHA512 39aef4324c2d34ae224fd1a25a01c706d412a9b68e25793984377faf0ad656d68298f4224b82988b23602d7f14341486a5fe5057880bd876ed6b94f9cd6a78d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 0b51b2a7dc7b471a59dd3b90e9b4a8e6
SHA1 f8a47a0d7f28ebd8c024916bc3ab49e024da97f7
SHA256 f212c199df12689438c2a7184c7cba224c425f848ab37fd5d97a268362828221
SHA512 72bc94f61131b062fd3df5de14884396793c997aa943405e763075114efc97878b07efee2943597b1b95e7676def249038aa8b7fd66b74bbf56fdd27c6e431d7

memory/3848-367-0x0000000000830000-0x0000000000CEA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

MD5 d8b052549f6889d35bb34dd905a29f8d
SHA1 25a5c1bf4faeb72a764a4edef78057490abe95c3
SHA256 55cb84151fbe50d59bc46c083cd6db488533f020b056216692ed1c5536f821c1
SHA512 ff9c2c32ee6bc8014dacbc1bc19688b6833332bf1be65ee046493b878ca3c981a70170836d2c0ba1e18ea5aa0e287573f2eecd8c9ef0f2f2ba04b68abb75fbca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 2ca14d6e6b2aaac1e42513d213ba0f42
SHA1 bdde748fba33b0abfae8bd7b96e38033fd127c0e
SHA256 d2e270ef453b8055c25705950069a12435933e9315106854cbc12271b700d339
SHA512 1f11add4dea87a75e3652be29573cac50f607443f3e5feca96d5294846b08493a6b33af43eb6e0bb2fc6aced81ecffd3d4dc380c9346657978d46f74caac3c0d

memory/3848-482-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/1776-494-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/1776-495-0x0000000000830000-0x0000000000CEA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

MD5 154f7a181c78d4f68f168579f9f19977
SHA1 ee42e234796650aeb3d1ad880035762c3958ddb8
SHA256 bfd5a870ce7ed4b82f84f9256f579e38a459d1aa98be9d9e21b0cc3b10b77155
SHA512 e3e2ffc0553ce5ba3bcc983391200f7942e56a5faf1d40f6967749582b85afb852924d4ad48c00cd802fbb6030a4c5e5fd143a113a1c3d0763566e6a746958dc

memory/3848-502-0x0000000000830000-0x0000000000CEA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 6fd1490a0837052759b539544e4ad806
SHA1 7b633808eb19cc1ca51aa18495c6b6be15f2a9f2
SHA256 de9985e380b8bb45f2e2dff98be9899b2e0b634de525f3e7dd9784e964d57c88
SHA512 3c2fee23ef143faa482a540ef99b902278a4e7497a35a9ce457ba5d0c44532b90e9c3dfad78389793a97da68f32a615028c0bd317d879f1bbec07152e1f19413

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

MD5 e8febfb2a365363aa10401cf7c481e47
SHA1 950b48fe9ca666a2525da620377c1022d537ef13
SHA256 58db33686914031dc943dbcdbb9aaadf0d519f648052805845b1a59961ab8717
SHA512 f0bf72dc046a6dc49a692bca80596b20970734af33c3098b3b801d2dc14e5d12162e2e800906e69b5ee2222f9205c744c34993357a48eca4740216ad44bbac50

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 1beeb004bcf2e887dc5611f7307bb564
SHA1 13397b6220fc57d3b6ef0fcfb24ebb64d42017ec
SHA256 31683d83b05cb90d38b27944fbc598799a5d40b5947412057460119aae3df25b
SHA512 1f4d947a00d4f251d806fa5150c6b1bc14f8d4eb24265b7775672633c5df088986fdd85d237009e026569d3b64d3279ac4926820963cddb6ca60585bafe8898e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 2233c3d379c94190e839304f0aeab9cc
SHA1 b6ff2c9e08888478e92035dd6cd124eec50872a4
SHA256 890f05040254fe7b3f91c577016433981361086f37be112677a49a004b6cfdf6
SHA512 3c0b7eb5aed1ac1c31e64410b32182359ea3deb2ae7b3c049457816002932be362f8fbaedc8081a113a2e7b5506853a5263bace22ec87f5e70aaf6207262c486

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 303150e2f552422067ce5ab012289145
SHA1 db1777e2cad9da419196bc27ca22ef97d42045d5
SHA256 4e860ecdc518a8da4fdb760832d2f2437b337d438ea7cfb26c103d4b17dd0fd3
SHA512 073bfd99abecfd9da2349116b2ecde7f1b009f985b9eb68d09c9dca95f61c926e353d20dc86ecb9a591ec22b2bc692defd4879dee45cf85944f35bdb1946889e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 76a1ab5423e2620694d99935330239bb
SHA1 3c74a7eadc9e19245d6d3ff9ed70b985fec1a773
SHA256 0da2ce4972a23e24e5b80f93be0e01fe71a3a3fcde3d67229949002cb9103329
SHA512 e102693e06ced74c03e9d7ad8690dd801d98aa0a88bc880226f294ab7bb7b4bc14890b6f0472f313e54b08a6aa50bcd21377c5e9b529cc5b1a91b4f6ac1da8d1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 044b65ec6bfc2908781eabc4a68aeb62
SHA1 320f3e57aebe71cdb371b311cb624e9b9cd6dcbb
SHA256 49e85c41808470f867d08afbe0ebe6977f8a7fdb9fd58cc27c718520f01980b2
SHA512 c821c20d9f1e771d1159897a45d2b31f01d28f7c41e35d2e1ba36002b9c2867740167816c6981d00221f78fa6adaf514732e98f8af27f1b4ff636d1cf19ef4c9

memory/3848-763-0x0000000000830000-0x0000000000CEA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 20e1c10296ba39cbc199527686030c7a
SHA1 406e16a32b4cc310b9b6ecaa64add9883b11f728
SHA256 c8d7dbb410d9d9d19739d6d83dc8776d37a4c6566d89f5a2c6466cffe6e5397b
SHA512 a1730f880df31fe622583a19a7bf97d7ed60bb201586df1e48b8a42e4af1a211ce982e1541c3cdd28fa3e60396748a1fe7e234181b9cbfdd989910ddbbb3bc74

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

MD5 b0b0e4b71f3ebe304ece16c8b3dedb42
SHA1 97952b35686dc66dd20bb0cc9ed8448cb42ccde9
SHA256 91d8754b08531e90f409a07eb613b4ec1fcadb7174bf4cdb6316fb11219b446b
SHA512 6e0b54dd07151e1f6743fe70eabe591b3f886c1c62942341dda0051592a0a550ea4021af19bb06cfd437f8eef9849fbf66210fe192eae26d26cb2144bd525467

memory/3848-1781-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/3848-2636-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/3848-2640-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/3848-2645-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/572-2647-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/572-2648-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/3848-2649-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/3848-2650-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/3848-2651-0x0000000000830000-0x0000000000CEA000-memory.dmp

memory/3848-2652-0x0000000000830000-0x0000000000CEA000-memory.dmp