Malware Analysis Report

2024-10-23 21:51

Sample ID 240911-hgknlaxhph
Target 9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464
SHA256 9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464
Tags
amadey stealc c7817d rave credential_access discovery evasion execution persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464

Threat Level: Known bad

The file 9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave credential_access discovery evasion execution persistence spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Identifies Wine through registry keys

Checks computer location settings

Executes dropped EXE

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks BIOS information in registry

Unsecured Credentials: Credentials In Files

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 06:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 06:42

Reported

2024-09-11 06:45

Platform

win11-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\762c22f572.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\762c22f572.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\762c22f572.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\762c22f572.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\762c22f572.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\762c22f572.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\762c22f572.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\762c22f572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\762c22f572.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 420 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 420 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 420 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3848 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe
PID 3848 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe
PID 3848 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe
PID 3848 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\762c22f572.exe
PID 3848 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\762c22f572.exe
PID 3848 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\762c22f572.exe
PID 3848 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3380 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3380 wrote to memory of 2864 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3380 wrote to memory of 2864 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2864 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2864 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2864 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2864 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2864 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2864 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2864 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2864 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2864 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2864 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2864 wrote to memory of 944 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3380 wrote to memory of 2836 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3380 wrote to memory of 2836 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2836 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2836 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2836 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2836 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2836 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2836 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2836 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2836 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2836 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2836 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2836 wrote to memory of 5000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 944 wrote to memory of 4764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe

"C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe

"C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\762c22f572.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\762c22f572.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1828 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0b7e2a2-cbe5-462d-baca-be7c057e9b1b} 944 "\\.\pipe\gecko-crash-server-pipe.944" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2332 -prefMapHandle 2308 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5fc9c4c-71f9-4447-a63d-8f8e933ef534} 944 "\\.\pipe\gecko-crash-server-pipe.944" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3140 -childID 1 -isForBrowser -prefsHandle 3428 -prefMapHandle 3196 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fe2bd43-44e0-4bc2-bc5c-6902f7099d46} 944 "\\.\pipe\gecko-crash-server-pipe.944" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3628 -childID 2 -isForBrowser -prefsHandle 2528 -prefMapHandle 3308 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88848ed2-c063-4080-8622-5260846a9d92} 944 "\\.\pipe\gecko-crash-server-pipe.944" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4192 -childID 3 -isForBrowser -prefsHandle 4184 -prefMapHandle 4180 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbc1e08f-f4ef-40d6-952a-434938a8db2c} 944 "\\.\pipe\gecko-crash-server-pipe.944" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5068 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5048 -prefMapHandle 5036 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35a3d85c-7c90-4dd5-9703-83895a5b49f2} 944 "\\.\pipe\gecko-crash-server-pipe.944" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5932 -childID 4 -isForBrowser -prefsHandle 5924 -prefMapHandle 5920 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {010f0f8f-4285-4de5-bf5b-16c1fb2857b7} 944 "\\.\pipe\gecko-crash-server-pipe.944" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6064 -childID 5 -isForBrowser -prefsHandle 6072 -prefMapHandle 6076 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bc7fe24-a288-4101-ab3f-5ebd9bd0cfb3} 944 "\\.\pipe\gecko-crash-server-pipe.944" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6348 -childID 6 -isForBrowser -prefsHandle 6268 -prefMapHandle 6272 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {caa89736-bfe0-4434-b45e-ac9b51231e1d} 944 "\\.\pipe\gecko-crash-server-pipe.944" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 216.58.212.206:443 youtube-ui.l.google.com tcp
GB 216.58.212.206:443 youtube-ui.l.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.187.238:443 www3.l.google.com tcp
GB 142.250.187.238:443 www3.l.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
N/A 127.0.0.1:49867 tcp
N/A 127.0.0.1:49886 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
NL 2.18.121.73:80 a19.dscg10.akamai.net tcp
GB 142.250.187.238:443 www3.l.google.com tcp
GB 142.250.187.238:443 www3.l.google.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.179.238:443 consent.youtube.com udp

Files

memory/420-0-0x0000000000780000-0x0000000000C3D000-memory.dmp

memory/420-1-0x0000000077966000-0x0000000077968000-memory.dmp

memory/420-2-0x0000000000781000-0x00000000007AF000-memory.dmp

memory/420-3-0x0000000000780000-0x0000000000C3D000-memory.dmp

memory/420-5-0x0000000000780000-0x0000000000C3D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 430fbb946370ff955dae5e717d188413
SHA1 0e50738a179534126da1721597e22719cb9d0734
SHA256 9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464
SHA512 b581d4bd81c8922e10c59fd51dc3250c5cb1a53e959f4a65684e748c52c80510da6dfa2e71f58712ab0c8217b4e1c5e6597a7671632c53de78a968fe827a901d

memory/3848-17-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/420-16-0x0000000000780000-0x0000000000C3D000-memory.dmp

memory/3848-19-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/3848-20-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/3848-21-0x0000000000650000-0x0000000000B0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\304d008d67.exe

MD5 6ec533d4b68b9b65f45160ba3bfc9422
SHA1 488be541bd2b2e42770c9e2bae875f6f97f51cfb
SHA256 dbe5d0f7237469a486de479008f1abca3d06a8a2b0ad64f26453d00e63000258
SHA512 99ceac7775eb344221dbba859cc37834e9b553b9b6eb27fa6dc807b5b4fac8016b2802a66cfba6a4f092feb05443c6642cb3fcb400befacdaad3747c6ce46cfc

memory/2832-37-0x0000000000210000-0x000000000089D000-memory.dmp

memory/2832-38-0x0000000000210000-0x000000000089D000-memory.dmp

memory/2832-39-0x0000000000210000-0x000000000089D000-memory.dmp

memory/3992-55-0x0000000000860000-0x0000000000EED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/3380-63-0x0000000004A80000-0x0000000004AB6000-memory.dmp

memory/3380-64-0x00000000050F0000-0x000000000571A000-memory.dmp

memory/3380-65-0x0000000005060000-0x0000000005082000-memory.dmp

memory/3380-66-0x0000000005790000-0x00000000057F6000-memory.dmp

memory/3380-67-0x00000000059F0000-0x0000000005A56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_udh20jvg.y3p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3380-76-0x0000000005B50000-0x0000000005EA7000-memory.dmp

memory/3380-77-0x0000000005F00000-0x0000000005F1E000-memory.dmp

memory/3380-78-0x0000000005F40000-0x0000000005F8C000-memory.dmp

memory/3848-80-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/2832-82-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3380-99-0x00000000064F0000-0x0000000006512000-memory.dmp

memory/3380-98-0x0000000006490000-0x00000000064AA000-memory.dmp

memory/3380-97-0x0000000006F20000-0x0000000006FB6000-memory.dmp

memory/3380-100-0x00000000075E0000-0x0000000007B86000-memory.dmp

memory/3848-118-0x0000000000650000-0x0000000000B0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 124a38f1d3b96f5170408c9e9ba616d8
SHA1 178ef403791012ade7ee6d317789959e530f08b2
SHA256 f93b58c6e656e7316472cd7cd0d10e506382e9610d145e8071b21e6bf9b3f877
SHA512 670aafe91ebaf7ca30db889f58a682b870b3ebe8a475ca919ba6618718dd6ea008b9db5779d7850118c5f9edc7332f466f5c9d4a0e5b43fa8e82dcca9a527740

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\6aabeca2-4158-4d4c-a5a9-bae2d9d14d5d

MD5 04c5aaa62a31de33c7d3a6bd7b9cb8bc
SHA1 0397150308f6d8d646d6d71c4adfde4368e9fc2b
SHA256 f61c6e15e1661146e5aa8f222cb1e6e33514a5ae5c86d1646e45ad0124fb9378
SHA512 6c7d0a347f13c5c9f988cc94cd1cc1dadf786d18a9ff9e3c21d97c44b1d650441ca258c413ebb18ff51424ff9a9de0c091e56860e83c2e8f049d70db18c29f5e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\e4afcc82-0612-4d37-908e-1f2291f61bdc

MD5 b539ad5a59d5e5eafd5def542ae74bed
SHA1 9df232546537f5d94da647c895cd6ce5ab00a3d5
SHA256 524b4fbc7ec4021ff6a1657b8fae09eb4f7b1544c324e4059e59d33df947fccd
SHA512 d1b3f601f4601b8100e29904892b17e055e872e61408906287da8948ec121d56f20b2dd9082d82f7e695137b9dd0632532c9aad8861e455c1923cfcab37843a9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\34b1cc94-74ee-4a1e-a872-8950fb16d2d8

MD5 df508076909f64a58d42f7347537a937
SHA1 cddb0d0e65c23b22f0a7047732d858bbb0472d3e
SHA256 63039b1ab9e746d61249d02ae0fc6f78a70e537158b7c578f67cb493c3a2a5fe
SHA512 8b01c245f7b94e32bfb705ad32b9f817eedda5d327f4bfdab2cfd4a3c76a285598890dd01c5ff15582c80366e23996677d84576ff9aa08a588911602ebf9bfa2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 f054b03d91e52431d59bceb4c37375eb
SHA1 c3af569ef208cd0c585e124d408fbfe418272b2f
SHA256 b0f58da2f6b5167c8dbfafd3d11c79fcb1bbaf85d7b7ad92dbc6f8034bf7ce92
SHA512 8696325082b7bb5430ed734ac7b2304b9c6fa3662ef392757a0b89b7acfa387e49744118c8a0feed7f8d02b658510f0ec78d8f1819feb7f2df1bf92aee660daf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 321dea9190903a45bc69421ac398fa3e
SHA1 dbea9157a664661abe3d8d54edfc6990eaa993fc
SHA256 baf695b4fcb23a5f9594111866b97233b2b8e0cfeeee100f0bc8ba49e6b7a2c0
SHA512 930a1c95292d26f02dcae7d48e2dd41ee1ee11d2ad74098e07fb99d388db2f4295f543b1595b171826a29a4776d18336f90eb5575a765fbf910a62b42625fcae

memory/3848-405-0x0000000000650000-0x0000000000B0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 c7a72df9bf790bc12820cc18e5d3275e
SHA1 beb52ff1eceab34a902c67354f2936f8bedd7cd4
SHA256 7e8319f1aa61b87e5519fb2ee5337e8443f2d56d437696a953b10770700acdec
SHA512 40c35c141550a601178c14cfb5ed17a4942b09ba13a5695be4fd8d4ee276acea32069cd25bf4eb235fef8d53c5e6204cacc872d385ce8628e8f6fc00acad238c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

MD5 5a9bc42f2b9bd1d199db0e559913f333
SHA1 26ad67c762b7a7c4ed30e89795d1e0d99e1d5e68
SHA256 b85e967d29365d5bb0d971dba39cfb0bea612a717e3d537b1a03daff7db9856d
SHA512 636f848d100b3ab0e2a48c6158b80f4167b2fddb9e1afef29d4ce8c47f90620ce3ec65ddae6d28711b8f6e9b99c2a1dd99b464e2f4744161a47179a4c70f8445

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 34a2d6c8e86959a051e55f702986f66e
SHA1 73f9e7f8b755cc11d927f79ad9fc0fd5e123f6f0
SHA256 885d4948b787c805967a30708a392d11ae1d1c515fb1339c9b8f8cae9621eff9
SHA512 d807f665c141b5022e1503f5d412b96286de75d44c8cace24c7b2c9f4b8df61f46af3f9ad7ef2c15db29585c3b4399014cba6f3c72f106ec18d4981624611cfc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

MD5 42879555f6acf9cefc40640a1eadd447
SHA1 85338ad73bfaaced71986e7e56bd231f992742d8
SHA256 c717e224913d3823ebf3826cf24769fa17ac28ac7c215eb71a9be65a76dda206
SHA512 37d65f5536be55a65e2a14e12ee3e795785bf8f3ac2d0030cf1d66016c9197f9da1955baa9cb62d4878368876c541c294b33bf9ae491991a4cd7de72b29d2790

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 faa702a5d49d1adf14d8bf1297e8d9db
SHA1 aea7bd3a64e6c7878f09085613b09097b3fc1b4e
SHA256 066d096eb4545f6f2cefb78aa9fd1022aaa18574fbb6376ef9d53d3d04b30889
SHA512 466981a6d509e5e203f640d1c53ff35d023964f2b3a9770180bc60e4b731f5d0d8ee6d523fe15b594405aaf97feb2aab8f47b5b440b96b3ae81ca6b18133b458

memory/3848-523-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/2832-526-0x0000000000210000-0x000000000089D000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\cookies.sqlite

MD5 46fff05e6fd524ae300b934ca7b70cd5
SHA1 f0b7cbed57224249826ccecdffd157d390fedfba
SHA256 bfbfc2cc74372f98fb757996ee9bc80fabe664103e6cdb641337455e59f63359
SHA512 59768df05a2a036690b520a39689317691c9e5ff7ace7ea537797bfb63607c90e4d0dbbc186417d8fe94a4e2e72e6ef1d3bda6c554ed2e3b044557d4e64863ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\cookies.sqlite-wal

MD5 9df385f404d7d688c37b5dbc7a4d1f16
SHA1 50068969fc18763b60352077d24b02b7eda8bfcb
SHA256 3172e0b724637e17e312fd69a3edfe1b09f92e340b32c55eab8f3465b78869b2
SHA512 27466e7a1db840fb97d1b1ba458f0b7d484e69df94aec73a1ee9365eac8a14700bb67cd84751236e10a01023aa9e4c2453730164fd69289b19a545340c0290dc

memory/2832-555-0x0000000000210000-0x000000000089D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\places.sqlite

MD5 f21e00a24e4b159468cfefd4a2658a2a
SHA1 255728355b77041e70c9e6efa2d6f356207380ae
SHA256 dc34ff651984902103b614f06b4a4ff51ae7873c3fc56c03f4bfdd6930fef4ee
SHA512 3a9b3b8c851edacc5aeffedf8853239c0b589461730cdcae1a6d15674c6374621369625eb9d3537bdbfee614c7ad42300603b9a19099e19c3cd0ede0902b2fb4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\places.sqlite-wal

MD5 62a92f0f8b225ef06a646dae31d0ecf5
SHA1 14311b6f3fef1aa1da192b09d8d28dab00311d43
SHA256 a81d637d1516e9a093f7f96bda7f338551a8e32c6f35a96df8f76ef056f6bc09
SHA512 20d7389c82ad53ec3c9f626689475c082961321514a001240418ef58bcd3dc3ea6e29f05774c1d902e821e3bd16dea54ec2edf151940091167f6e8f0e30e3fce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

MD5 0d6e8689827fdb26591c39a78847cd89
SHA1 4914c5a6a334f53afd5ae055685674c210c54921
SHA256 6f1a00255106287086a02c0afd61e7ed49ec7c163e18d773e4f4d4ef7aa347bc
SHA512 82dfcbad8268395a9e0444a541820b12d263d026214ff44cc7611be07d72e0315b227aeb330bc4fba0a404b3d1b249abee31741c461438213bc704085db31843

memory/2832-572-0x0000000000210000-0x000000000089D000-memory.dmp

memory/2832-573-0x0000000000210000-0x000000000089D000-memory.dmp

memory/3992-574-0x0000000000860000-0x0000000000EED000-memory.dmp

memory/3992-575-0x0000000000860000-0x0000000000EED000-memory.dmp

memory/2832-576-0x0000000000210000-0x000000000089D000-memory.dmp

memory/3992-579-0x0000000000860000-0x0000000000EED000-memory.dmp

memory/3848-588-0x0000000000650000-0x0000000000B0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

MD5 78d610ce4636f42850b5c852fa0266b7
SHA1 c57ed29ebbd7693a0c18dc157d46959b8af45261
SHA256 ee5614179d4fc44754691166bbcec4eba86f96a0684069ce72c9a8813ff7afd1
SHA512 17bda80aa76668579d723ba71a49aa7514e0d094b07ffa578a0cc53e2d345f6ef9078c68298fc83bad14220e25990a89b6f0f801392001202f1e171c8df63716

memory/5572-596-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/3848-597-0x0000000000650000-0x0000000000B0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 6707c3c57e6ea865f7257b5788b19643
SHA1 3195c1ddd283269feafab2cafb4f78dd0f4c1c91
SHA256 a25f2a56155465c09b98b1cb25d7bfcba1bd0c8559fda50177820f8180301dc7
SHA512 303ebb7c9277e3449fc21ff4a237660bf4f3c66052b01c103de28ba474c5163ec5edcf3054108fb6a3f345114de0ef34ee6a153c5a5d0460431fed5949a3d3dd

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 eb8c37c91fa0ff5e11633fe799656343
SHA1 a548a17d3982a8cf957f38320508e723270bd615
SHA256 943fb0a2f625f8f05751cc188031f2f63bc69191ed7f5797ba1c7831175a5adf
SHA512 fa55ccb8aef2cb3cb896147f9d871dd99ed6da32b7932be6c50925fac511eb0494fd5b2cc5201978379c301f0599b0bd0a1f44a462280c47f0cf4cbc45601ab8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 194366b5ee10db576b9a115eb10d56b0
SHA1 77f5bb6790f44e82b6105a3f7688088a41076137
SHA256 302ce8950b876e201194e3d777800b6906ff405292dfb3480c48d1d71a012e0c
SHA512 a0702e4c43f9609aaa640eb4119ee422a36c5341f86c3be2359f380d85ee592da4bede9c556bf9b899326990885f2c07b2f23dd8e8410f17fe34dd89da5726d2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 f36fb97ad3a373523f8357c983a25ce3
SHA1 bf8c066449907373d139e7241ca4ef2d7caa520b
SHA256 ef49ad21b32e16d836889a6ce4499f25ab45391ffa3f6db97095efa9cce92ed0
SHA512 20a06c75f218507375f89b45b68b7d649799c7cbe8acbcf83c1a36054bcc139dbc34baa1376bd00d2c3f424dc15b2d7cb6ec3f91c200fceb0151cd4f74e1441a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 76a1ab5423e2620694d99935330239bb
SHA1 3c74a7eadc9e19245d6d3ff9ed70b985fec1a773
SHA256 0da2ce4972a23e24e5b80f93be0e01fe71a3a3fcde3d67229949002cb9103329
SHA512 e102693e06ced74c03e9d7ad8690dd801d98aa0a88bc880226f294ab7bb7b4bc14890b6f0472f313e54b08a6aa50bcd21377c5e9b529cc5b1a91b4f6ac1da8d1

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 bee1d8ffae8f813d5d8aa82701cc2deb
SHA1 bc6328ca6fdac1d5ffd69ee8293eb5164e67f603
SHA256 07054e2466b89640895f9a1785abb61a76770610740e803038841f336718d65f
SHA512 1e8d6826f88d3c1b8e612054b53c392bfc8247aa7815f32311c9aaeaea525a1495323e49010e71fc09f15b672d2ffca6398414c96e4941829a518d1295521ae7

memory/3848-1435-0x0000000000650000-0x0000000000B0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 5832eba772466e91ca8d34650c1c4b24
SHA1 30a55dfc55913ec6c3219621386b8ed3b1cc70c4
SHA256 0fc23773f06d891107d5a589264e71e006510555f17140731e1bf76afa791c8f
SHA512 b4163cc313d9f939f14188ea62b82866a431704da15a879593123a54994f91ca6f7adb4cdf5b509a5f73734962d608dde8a72476bd4a530c3af94776d7343dc1

memory/3848-2685-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/3848-2756-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/3848-2762-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/3848-2765-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/4380-2767-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/3848-2768-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/3848-2769-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/3848-2770-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/3848-2771-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/3848-2772-0x0000000000650000-0x0000000000B0D000-memory.dmp

memory/3848-2779-0x0000000000650000-0x0000000000B0D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 06:42

Reported

2024-09-11 06:45

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\f998e7ae68.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\2e8f31ed17.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\f998e7ae68.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\2e8f31ed17.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\f998e7ae68.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\2e8f31ed17.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\f998e7ae68.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\2e8f31ed17.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2e8f31ed17.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\2e8f31ed17.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\f998e7ae68.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\2e8f31ed17.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\f998e7ae68.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\f998e7ae68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\2e8f31ed17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\2e8f31ed17.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2492 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2492 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4212 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\f998e7ae68.exe
PID 4212 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\f998e7ae68.exe
PID 4212 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\f998e7ae68.exe
PID 4212 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\2e8f31ed17.exe
PID 4212 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\2e8f31ed17.exe
PID 4212 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\2e8f31ed17.exe
PID 4212 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 1760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 1760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 1760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 3828 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 3828 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 3828 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 3172 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3688 wrote to memory of 3172 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3172 wrote to memory of 2208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3172 wrote to memory of 2208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3172 wrote to memory of 2208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3172 wrote to memory of 2208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3172 wrote to memory of 2208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3172 wrote to memory of 2208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3172 wrote to memory of 2208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3172 wrote to memory of 2208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3172 wrote to memory of 2208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3172 wrote to memory of 2208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3172 wrote to memory of 2208 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3688 wrote to memory of 2372 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3688 wrote to memory of 2372 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2372 wrote to memory of 720 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2208 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe

"C:\Users\Admin\AppData\Local\Temp\9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\f998e7ae68.exe

"C:\Users\Admin\AppData\Roaming\1000026000\f998e7ae68.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\2e8f31ed17.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\2e8f31ed17.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca7b5bec-b16a-4811-a2f2-d79206b00c6a} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16952929-7e59-4f14-a088-b640e73c2806} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4f6246f8,0x7ffc4f624708,0x7ffc4f624718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc4f6246f8,0x7ffc4f624708,0x7ffc4f624718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3108 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c45b8be-49e9-40b4-b1f7-fcd0c70756e1} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3608 -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3360 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75398772-c1a1-4c20-8e10-92306277b941} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3792 -childID 3 -isForBrowser -prefsHandle 4052 -prefMapHandle 4048 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {697754e7-8756-446b-b9bf-53a099c6fd24} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4476 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4504 -prefMapHandle 4500 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ba0d9a5-75da-478e-973c-104206028215} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,3066859620048516404,12368518798783479019,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1904 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,3066859620048516404,12368518798783479019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 4 -isForBrowser -prefsHandle 5604 -prefMapHandle 5776 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e319e43-fd26-4a95-9106-b68e486695c6} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5904 -childID 5 -isForBrowser -prefsHandle 5980 -prefMapHandle 5976 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25779bb4-cbd8-41fa-a23d-a2778d11064f} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6108 -childID 6 -isForBrowser -prefsHandle 6116 -prefMapHandle 6120 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f5053de-c1cf-4b59-a355-2343a4e104a6} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" tab

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11114702791353142446,13923236874704235193,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5148 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.180.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 213.24.239.44.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
N/A 127.0.0.1:61374 tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
N/A 127.0.0.1:61383 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 73.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/2492-0-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/2492-1-0x0000000077314000-0x0000000077316000-memory.dmp

memory/2492-2-0x0000000000011000-0x000000000003F000-memory.dmp

memory/2492-3-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/2492-4-0x0000000000010000-0x00000000004CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 430fbb946370ff955dae5e717d188413
SHA1 0e50738a179534126da1721597e22719cb9d0734
SHA256 9bfa2dd417b91950744e8037196965546d11adb4ed41ce4eef7a60bb57a99464
SHA512 b581d4bd81c8922e10c59fd51dc3250c5cb1a53e959f4a65684e748c52c80510da6dfa2e71f58712ab0c8217b4e1c5e6597a7671632c53de78a968fe827a901d

memory/2492-15-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/4212-18-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/4212-20-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/4212-19-0x0000000000C91000-0x0000000000CBF000-memory.dmp

memory/4212-21-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/4212-22-0x0000000000C90000-0x000000000114D000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\f998e7ae68.exe

MD5 6ec533d4b68b9b65f45160ba3bfc9422
SHA1 488be541bd2b2e42770c9e2bae875f6f97f51cfb
SHA256 dbe5d0f7237469a486de479008f1abca3d06a8a2b0ad64f26453d00e63000258
SHA512 99ceac7775eb344221dbba859cc37834e9b553b9b6eb27fa6dc807b5b4fac8016b2802a66cfba6a4f092feb05443c6642cb3fcb400befacdaad3747c6ce46cfc

memory/4448-38-0x0000000000880000-0x0000000000F0D000-memory.dmp

memory/4448-47-0x0000000000880000-0x0000000000F0D000-memory.dmp

memory/4448-48-0x0000000000880000-0x0000000000F0D000-memory.dmp

memory/4784-57-0x0000000000DA0000-0x000000000142D000-memory.dmp

memory/4212-58-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/4212-54-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/4448-59-0x0000000000880000-0x0000000000F0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/4212-67-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/3688-68-0x0000000002390000-0x00000000023C6000-memory.dmp

memory/3688-69-0x0000000004EF0000-0x0000000005518000-memory.dmp

memory/4784-71-0x0000000000DA0000-0x000000000142D000-memory.dmp

memory/3688-72-0x0000000004D10000-0x0000000004D32000-memory.dmp

memory/3688-74-0x0000000005680000-0x00000000056E6000-memory.dmp

memory/3688-73-0x0000000005610000-0x0000000005676000-memory.dmp

memory/4212-75-0x0000000000C90000-0x000000000114D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ut4luefh.m4d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3688-85-0x00000000056F0000-0x0000000005A44000-memory.dmp

memory/3688-86-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

memory/3688-87-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

memory/4212-89-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/3688-90-0x0000000006DB0000-0x0000000006E46000-memory.dmp

memory/3688-91-0x0000000006220000-0x000000000623A000-memory.dmp

memory/3688-92-0x0000000006280000-0x00000000062A2000-memory.dmp

memory/3688-93-0x0000000007400000-0x00000000079A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 983cbc1f706a155d63496ebc4d66515e
SHA1 223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256 cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512 d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\87e4fafe-6eb9-4061-84d1-3aa09663823b

MD5 ff5b5c581e99584a7665e8bcfb57d09a
SHA1 454f6c296cc012d421cc763007664e2475e72545
SHA256 19e8f515ea007a9d446a1c12b5b64db08962acc5bdfb853ade52af762371f7b5
SHA512 3fd1f2c8ec976a64ea0c385c8317393440a1d631cd99213b2cda3045ad26e5c85da3b471ce25e0c1c2be21fa0befda1b2fd27b6f151c60fe2d50a22a73f8ce11

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\afc63f8a-bb3b-4ff3-b30b-352c40a34e07

MD5 e4dd6170a22ce3bd839046d077222e5a
SHA1 843784fc5c3d6018f89bc0c49a0d33e76a7de9e8
SHA256 92377f69b9c0c16dbe82bbf0182ef89fb61ea2a1bfe64fa807a1659d81c02047
SHA512 b937cc572da092902fdf9fdeddb39758f221c6f9c9cb7da7f00ba89de3038867f8a73e99e6ebea20ae2dec82b857deb6da6366b12089f83fa33a0194b57990c7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\73cd4f8d-e34b-4082-b779-23940720bee6

MD5 78975d0e4398cb512fa73b528c5de36b
SHA1 4c17f1c3a1c52b4b30fc65b93b958a69789e6093
SHA256 b296971cf55bf6c2750e74c69531821cc6036e41eeac4c9e77e5d733f9125b6e
SHA512 c1d931cd251e7ccbf13d17ac8eff4aad7a0a52467af6d1559468d7060148bf9e411ef45abbccc722b5a3a9245be49b5b8a6793baa59abeed0b5a70d572a24f58

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 781f9083d24fae1831d730d70d8d7257
SHA1 8e5d41d1eafa09e6abc99a563586d5151d488eb4
SHA256 7f542d74b0f8b14dd6abdd2ac33bd6e8b570d71b15d58fc0c240f96303a41212
SHA512 d1ad5d37a1ed643063cc2287855b219fca3735dccf442fe430d422066a0128eba3fe09088f663c235ec365e64f46095e1915989552c1e2b9a94fc645bab056ef

memory/4212-119-0x0000000000C90000-0x000000000114D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 8d0dc8619aa1c7dc48ce024d79f92ae1
SHA1 b908e35e6a447251878dbfa0195c185eaa7232b6
SHA256 f8551516638737305d528ff0ace77a196b08dee274e295e9863ba2650c787780
SHA512 bbb961d08e43944e0db84a552f1d86059d030aeeceece6d16c49b267fa4a85e1ad08b2b9a31a8be98b6a4878367dd564b2bbe6c659aed3087724c551405d81a9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 f824287e26fd766d82632945984c2a04
SHA1 0bf7f7daa46179f8323cdb4b368080e5a45b0a4c
SHA256 72377ca67484080da387a4d4bf2e01d159c0fe36bb3fdccabe3ff35774c2a89e
SHA512 1f925b19348e312d1d2dcf9b7424b38eaa1b738d88db228917f24698f3f62d7937f47fd931d8a19a7424acc4f2c50abeb69ea2e9f91178b1825abb17c47ede8d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

MD5 022aa22afbc5e7438f2ba57d1da8a501
SHA1 33c4b6a266ecec6dd7d7e84a831919c6e905c474
SHA256 790c3a8f7ed43873f6b81e175d9d9464375e55781f819059c385efec4a6a97a6
SHA512 7773c7331355785e91ac710223415006ae5e61f78fa7b15c8868eb304338848343ab53d5ff6a1ea248eda1a6c023fb9f2b77869f24c51a339b338cec20b083b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 111c361619c017b5d09a13a56938bd54
SHA1 e02b363a8ceb95751623f25025a9299a2c931e07
SHA256 d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512 fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

\??\pipe\LOCAL\crashpad_1944_SBQFTXWGNFEGNVYM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bfe99d6b3f1f15cf01f1b740b5019f7e
SHA1 9d7d886c9524c5cd8f786b1cb86746ada3e80ed0
SHA256 cc87ace96b3cf27f24034151e3b7a7de69c08a0374e96e50e37f8ee762fade2b
SHA512 0278cecb2cf832511b001965f9ffbb33a0459605a9b243bf3f3f7934e016536e57d8ff853b80cb4173485b2ceffc870ff4af104e99cd69ddbe04e9d724788c80

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0300d8545ce3e75aed96b112336148a7
SHA1 419eb8d8b2bf302beb58e51477f502829fb629a1
SHA256 1c5d0f1195e5837c8c83fe184d04b75f7e7ccb9d12c1e58d1064959572195444
SHA512 b1267103a6b88bb04ec4fa111bf1a0734fb75ae5dfd726eaa61bc6f3844a84cea9e1e9b41e0ff9f1751c87fd049f0b2072da5c504af2133f985ca4ae2ea9adb1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 124a14933e8065f392df2acbc7dd080d
SHA1 8d81264a57d1c8ca5cb32117854e6bb0b12abf41
SHA256 304fa53d237d426bdc0a178ca4152e0437918b109538fca232a5f5f8f9fc096f
SHA512 78bf579df1e5a7ad18f0572f8e050ddcd2ff5e3a31031396fc2af1cf8e7b1c3f8ae2467758119735fa507b53cb629b6ba452e20adedf7b700631d4b73f1d4fff

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 0882d8c775441d2e96b6a2d399c1cdc0
SHA1 f7249dea891b49faf4cffb96b6661dad7bc04ee7
SHA256 f1e4a0cc35b1be7cf076805f2834b5aed910acdc5b3e5e7b717ff0c2e4ab776f
SHA512 884dc3568b7c4a59f594d37ab2f191a929702a38bc25e8233c82d81d2165b48131d45a9eea84b4acb6484011980d6a3ae518b3546f5562bfcac531aa23a07f01

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4212-635-0x0000000000C90000-0x000000000114D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1a1cfa71b844867ca66b2286356b5cae
SHA1 6a37bc1c5ff1e40882da7cd89b312277a05b11bb
SHA256 db740534ff23a66df192b41f0e1d9d1c482fd8a83a41423e1858841a051f5b86
SHA512 59050ac875e3a97d9b0564cf3229b0f585eef76872926e0c8f3069ba26e2fbcbb0b647361efa850bcb707582221f56e1329d985265bf6eac2cfe430fae634f70

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 93b3b71f908c029de7f845e1c7b46cf7
SHA1 4470046f560ba55e7488cf39564740ad7e9ac10d
SHA256 a9e3dbba203c42f0d3b492531926864795a2230a4975f0d5bdda5de99d3bfe4e
SHA512 f1c073d951b9fc842b8e41b1ab602aee19e62ccf0754bdd47cf5bcba5f2df9593901f11700c0d1972e181f6e3b6f0c42e37129a043996fd48db95a0a5937e7f4

memory/6308-663-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/6308-664-0x0000000000C90000-0x000000000114D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

MD5 a8b2be7d8d1a90a8eb852aef698cd799
SHA1 9f8c299a0cbc8694b602a0d8b1885c9830f36991
SHA256 67d052818a3e75080ac38b35ef7525e90178eeb34fceed60976fcb8ccbd67215
SHA512 df5db5ac81fad97760b092e7452b9a6b7c33068c4655bb4d3ab0e834419889175bee52bc0b5c815aaa222802cc8a306c64299e8b7885a1892cacd553fe33f411

memory/4212-671-0x0000000000C90000-0x000000000114D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 1e229bc119f87cafaecac896c64d3446
SHA1 deab71eab9ea3d0b354580d3dc1aee5fc5fc1c8e
SHA256 439523b5cb52da693203053c63d2ac6744e18a3e960a82c89a32e68659484f68
SHA512 de4a8ebdd1f6b11a94a26941eca38e04db85d626ba07ba6238711bc3b54cfa9134520c8e3ce426c072cf6d6835e708791460de9b2b253165b447bce834d40bf9

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

MD5 86390e10296a77f36d8971a9ac42ad37
SHA1 aa600a731742601888b1a61d1fe73a707753fc0a
SHA256 405016c5e799161b206072e9f2c08bfc5b4a7a2e5383e73b8f9cd34ceed49bae
SHA512 65e2a2880ff22040b2613d00ff921671e12a78992174a95c4c792c1e6c00cbbc31a24071ceef8697be3ccbc5a4980fee846c8674195cc168864fbbb7b74791e3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 e570f113c253a56014f1b4902db054eb
SHA1 f80a47db1630eb2587b16d1126b0c03c695ad7c4
SHA256 36f6b2f4f90320a72c733c0ffa4ed518653b7809d14af9b16bb394f5f2a0bc7d
SHA512 ce6cb2c2a293ede9f93a1e1508c71047db08e8d48fb2bb1a994848419f80d39cc690c4184431f4e444008f41dece48bd8ee5e50cf925f6786cc5343a312f3438

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 a0e3c9c059cf38bf7e053900035a25de
SHA1 8c4a2801da75d7783269f0e9d642f015d8c92007
SHA256 044705f37571ffcf9b0db8387f2c71861460bccb8d84d8c3b428902380406ec0
SHA512 7be3bc7e8ca4657da2e7a6d8b0a3c671013a2298024dd627ccc5a01d6079a566579ea229dd6f1ac40d5c236610df6f6e9c9bf0705b2ca118a0274d4bef30fe9b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 4554a0989510e34c3d09ded478fccb39
SHA1 6f981afa7be3af8dd8b89219f906193e68e4deaf
SHA256 ab7ffd8188ce60d0efb4d2601edc9f2fab36078f7d7791917bb9a2d14fca1be6
SHA512 eee932db19b8222806cc14f55eb47655412ad91a731552bfef3a3dd91b55bc0439c8335042886ad5ea480223a835f65a8fa844664ce73383d52f5d4f6531d8ba

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b4e85fc6d0d761f859df2675188b603a
SHA1 e51c469f2d235c3a9d6354018f02b825184c4ef3
SHA256 6d606fc9f376392cad8ecfce82534449bdba88cd86918664e6bea4eacb6d6c33
SHA512 15ce48446ef371c9db8b9385bb133f3791fa6e31b19fe50cbd03e9fcc15c1deb97394e864210533ab3779cd8e909d3cf4907db6f3e6ca8e13383e47f624dc2c7

memory/4212-1491-0x0000000000C90000-0x000000000114D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

MD5 7ae2c2bc0b9d868acd03a19a2f55b311
SHA1 ad879361c6a472ebf52abe95ad84cb4c5166c42a
SHA256 d88c67292dffa55ab6062132029fe3202c811c3572807203de7d7f6b0321fe0e
SHA512 1061d74bc34289538d7fd46325161a451a31413803a0a5ac2a2dc95d67b53a30205215deb5a9fac23686d2d5ecfbe0dee2e375a8bfe38b36fc2a568c07968f1c

memory/4212-3514-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/4212-3518-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/4212-3534-0x0000000000C90000-0x000000000114D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 0bb7aab20bec10e5384c52cc9175d86d
SHA1 c7916374770739f86f88cd023a5a0f91cfa8b378
SHA256 8b5a8d18b15e267a7e81847a7cacb16ab571f9c022071bf9009f8665d4d26838
SHA512 5a27cc106ad7dc93a11a192c2055c3c4d26ad3544f15ffa3f12e8e749b5a667a45f4e1e614d77df2c6f2fb81dfc98e86cb3d6e1835c252019c69bec89401d16e

memory/4212-3543-0x0000000000C90000-0x000000000114D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a1eb39234a5b5c845e53a6585411351f
SHA1 94723b87ea569c402e3a1a886ad8f50987d7c49c
SHA256 7badbafc509dfd966d54903ccf5ab6121289600a0adffa262bc35c584df419f2
SHA512 1198d99803d5f1071b369999fe65ee6d28cf91c7953cb5421100eedabc8dd0b7e04cb05fb718ea4f5cf344d74bd536bdd59532a27888e3395e353bfa3a22a6cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2ab34c17c6e59e6885dca1b191fc58c6
SHA1 7a93ec8531e765e335d60e21ca8aeb9a2069f2f1
SHA256 8faa79cb3fb89e4fdd4a89555a1b5fa647912926764cb264c0f31e3de9a63319
SHA512 384ea464d75036fcb428c4abc7c50f0493d5cee40b25fdb4474b4356c9f05f9716152a8f7d08038dc3bc0de26830469a34634ac64c45686d34f60a18c813760e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c407.TMP

MD5 e65f27d7ea75d5ace8acb6dbcfa1bda3
SHA1 aec8ac5fc3ce1c3897b8db03fe209f6461e27f0f
SHA256 e6611fa013c8b9d3bbad747c71e4961da8587af14c8d4f1eb03d52863dd52602
SHA512 27bf9a46af21be1f24fbc810e3a7e5fa3735ce5eec6010f6903b1ac6ee15d10339dcf853ee0b83dcf50df0c7cb7de62aa1544e084ac8f52b4d27bde20bd5d225

memory/1644-3577-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/4212-3578-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/4212-3579-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/4212-3580-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/4212-3581-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/4212-3582-0x0000000000C90000-0x000000000114D000-memory.dmp

memory/4212-3591-0x0000000000C90000-0x000000000114D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 3e8d966a6ddb6debf854d3f4a0060cd2
SHA1 4d90e1c896389a9f93dd2baf24b5f2aa695ae58c
SHA256 39e00fdb59463aa046090cdcfb7a0533251570a2548921f5937221049a59714e
SHA512 4edf5d84dd1c774b7357e7adbdc0eb77adf6d7f05193b546fba102fc95f278ec93452c131fbb7eedd58da73967838660b6a1c1cd5ba365fd2b60b9e9bcf1788f

memory/3132-3604-0x0000000000C90000-0x000000000114D000-memory.dmp