Malware Analysis Report

2024-10-23 21:51

Sample ID 240911-hqfe8sxfnm
Target 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f
SHA256 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f
Tags
amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f

Threat Level: Known bad

The file 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Identifies Wine through registry keys

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 06:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 06:56

Reported

2024-09-11 06:58

Platform

win7-20240903-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\e65bd18633.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\e65bd18633.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\e65bd18633.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\e65bd18633.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\e65bd18633.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\e65bd18633.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\e65bd18633.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 792 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 792 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 792 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 792 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2980 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe
PID 2980 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe
PID 2980 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe
PID 2980 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe
PID 2980 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\e65bd18633.exe
PID 2980 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\e65bd18633.exe
PID 2980 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\e65bd18633.exe
PID 2980 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\e65bd18633.exe
PID 2980 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 1972 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1060 wrote to memory of 1972 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1060 wrote to memory of 1972 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1060 wrote to memory of 1972 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1060 wrote to memory of 1704 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1060 wrote to memory of 1704 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1060 wrote to memory of 1704 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1060 wrote to memory of 1704 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1972 wrote to memory of 1640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1972 wrote to memory of 1640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1972 wrote to memory of 1640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1972 wrote to memory of 1640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1972 wrote to memory of 1640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1972 wrote to memory of 1640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1972 wrote to memory of 1640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1972 wrote to memory of 1640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1972 wrote to memory of 1640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1972 wrote to memory of 1640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1972 wrote to memory of 1640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1972 wrote to memory of 1640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 796 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1704 wrote to memory of 1904 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe

"C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe

"C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\e65bd18633.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\e65bd18633.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.0.270383104\815647067" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1200 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9802e63c-da29-4f72-8f93-0290952abb9d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1328 4209158 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.1.987955262\1731638230" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65aa4349-0109-4772-81e7-630e35ecd062} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1520 14721f58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.2.1553389652\364716142" -childID 1 -isForBrowser -prefsHandle 1836 -prefMapHandle 2028 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48cff3ff-96f7-4148-89b4-f56920ca6026} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2004 19ab6c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.3.1093866656\1049704984" -childID 2 -isForBrowser -prefsHandle 2604 -prefMapHandle 2600 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f095574-31cf-44b4-ad8f-fa7d81a6c996} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2616 1d168e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.4.336043100\1883955856" -childID 3 -isForBrowser -prefsHandle 3728 -prefMapHandle 2976 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7abcf785-7b95-45fe-8af7-eba2134df39d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3716 1d2ebc58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.5.314380601\236099452" -childID 4 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05f621ca-0495-4cab-9a9e-fdd2db15c35d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3820 1f018a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.6.1532063630\173996253" -childID 5 -isForBrowser -prefsHandle 3880 -prefMapHandle 3884 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4f1de22-7ebc-4c70-b28f-b5408f5dfce5} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3868 1f1aa558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.7.194519313\135199502" -childID 6 -isForBrowser -prefsHandle 4416 -prefMapHandle 4248 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9af629b-dd2f-48d4-bb9d-15f6a734a86b} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4460 1b44f658 tab

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49287 tcp
N/A 127.0.0.1:49297 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp

Files

memory/792-0-0x00000000000A0000-0x000000000055A000-memory.dmp

memory/792-1-0x0000000076F20000-0x0000000076F22000-memory.dmp

memory/792-2-0x00000000000A1000-0x00000000000CF000-memory.dmp

memory/792-3-0x00000000000A0000-0x000000000055A000-memory.dmp

memory/792-4-0x00000000000A0000-0x000000000055A000-memory.dmp

memory/792-10-0x00000000000A0000-0x000000000055A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 656dad33ed55f336051883f756e7d041
SHA1 83ff37e0f8badb060900511002fb14e8c4deade8
SHA256 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f
SHA512 ba950f704229070f0515b163630d59fbb9b2ba1b8b775259d84d3828713ab879880a1ee9baa4796898a29a941943868ec8ae111ba38c006fdefb9e12af81316c

memory/792-16-0x00000000000A0000-0x000000000055A000-memory.dmp

memory/792-17-0x0000000006640000-0x0000000006AFA000-memory.dmp

memory/2980-18-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-20-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-19-0x0000000000EA1000-0x0000000000ECF000-memory.dmp

memory/2980-22-0x0000000000EA0000-0x000000000135A000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe

MD5 6ec533d4b68b9b65f45160ba3bfc9422
SHA1 488be541bd2b2e42770c9e2bae875f6f97f51cfb
SHA256 dbe5d0f7237469a486de479008f1abca3d06a8a2b0ad64f26453d00e63000258
SHA512 99ceac7775eb344221dbba859cc37834e9b553b9b6eb27fa6dc807b5b4fac8016b2802a66cfba6a4f092feb05443c6642cb3fcb400befacdaad3747c6ce46cfc

memory/2980-38-0x00000000063A0000-0x0000000006A2D000-memory.dmp

memory/2980-40-0x00000000063A0000-0x0000000006A2D000-memory.dmp

memory/2164-41-0x0000000000350000-0x00000000009DD000-memory.dmp

memory/2980-58-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-59-0x0000000006380000-0x0000000006A0D000-memory.dmp

memory/2760-61-0x0000000000E50000-0x00000000014DD000-memory.dmp

memory/2980-60-0x0000000006380000-0x0000000006A0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/2164-70-0x0000000000350000-0x00000000009DD000-memory.dmp

memory/2980-71-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2760-73-0x0000000000E50000-0x00000000014DD000-memory.dmp

memory/2980-74-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-78-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-77-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-79-0x00000000063A0000-0x0000000006A2D000-memory.dmp

memory/2980-95-0x0000000006380000-0x0000000006A0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\db\data.safe.bin

MD5 8eeabfc9c8ceb590bc5026c62161058e
SHA1 04aa3a530c8ad5ee27b49d897fbd311ee9429492
SHA256 7e87156fffd2ee861b76a1534e767586700cfe045b76fe0c2ca5329de24586ff
SHA512 d18f6c29e4f8c9a7d838f758370e5014f2ac3553f10065f3564d746dd0f7a18231353f5041f3aeec86d0c561fccf569763c32f040b1804d5063b5d0092afb958

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\pending_pings\ece8f707-f9e3-44fb-9b07-36778bce0eb2

MD5 0c26349bd4c36f63a841ca22d1c07e98
SHA1 5be4aa634244ba356cb529a207ec940eb8cc19cc
SHA256 e19f720f90808f7c32ec8b896643d340b7a5adeb0883f1675e3856edf9f2f996
SHA512 2458027f60afd729530f32f850acc3bb277ce6445b853f3d4dcad24f2669bca0d1b2021a8fd97536d06214dcf844ff8dd45d41a817fc5da26a450ba79b321dba

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\pending_pings\ffb9b9fe-7070-4a3a-ad01-f1f35475aec8

MD5 ed15f485684ed7829fc98db74487ec5f
SHA1 b59e7b7a717b611c79ca00c1c95dddf34682fe23
SHA256 835173dbfc93a73b39834fcf180f930c5149cf78a7b5662869454c628ae55f6c
SHA512 5f70b41ac3251d541f36aab1b680825c31599a4254ef971cf23f63bcf97924fc0ccd35608c7caf4ee8eac20e16a0dd2d4d767f343d9afdb417eca351be23f36f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\activity-stream.discovery_stream.json.tmp

MD5 673908d247d115cd5c127b37283436e8
SHA1 156be894e9087b2a0ec3729eba442623c1c16d62
SHA256 f58c4e2739807e92deaf669c0f4bc5f65ad6293763ca583656581598cbec88b9
SHA512 5fca77e34d74b30fca99ee30692864f1bfbdbb8e1c5ac1c69578b9c9eb1b7eff86130ebb4f583e7409c574cc34d5561e135aa00be864be35dab503351bae7344

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs.js

MD5 c7304f3eadf77b099bc524840a7fd96f
SHA1 b082fb76ddcd647384913c2c393c93f2ab13eab7
SHA256 c124183e7238f57724213fcbc3a2e7f21a96db64e2d0f853275e9d95feabf9f2
SHA512 0cd1c7762903fc3c64728a0a4a615a760ca1c2572b19bb103b859509f8ae8f6bd95ee705829907052e3e393a91369b04aaf13b3fee37d457e165ac912a8276ec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs.js

MD5 90c8e763ca4aa7cf940d29bcfbd08497
SHA1 1c2de05e301b3aaf65fa674f309e6b956f8f01b0
SHA256 edb0482faee2e3f7a95b6d044e37a8915894e9184321a05eb1dd258c5ca1f87b
SHA512 c00a934435dbd7e1b5182e48b898c0913abb39d2831163b150ec81ad9ae2246bd52103ee1ecb742c34170221d4896f2cd4263ae9a1fb6893eb2835d7467bfd86

memory/2980-213-0x0000000000EA0000-0x000000000135A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs-1.js

MD5 e737de3b1662263b82500416c0671133
SHA1 b69339872f3447ad28139f4c489f6e6e680a1605
SHA256 fe55107ce7d686cb732f472effa909f01de99f042ec391cd4875497179ecc487
SHA512 c02450b2234bca735b5400220ee77d2e5d7477b5e002eb05bccb8d112890d845fa4c8310426dfbe7b38d9e11125ba35acb73cdec196b7064713b30da21fc1a95

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\sessionstore-backups\recovery.jsonlz4

MD5 48a549d4bed45bfd4c6aa412fa6e82d1
SHA1 70e075570a7a6a937b485b8184d8ab9292a87745
SHA256 8d97408e667127ea9dc2d1e264791e0ecef2ed4ed5c570b31fcc589b7f1fe1fb
SHA512 7d4f49cc0a6f2af858692867fbecebfa4a1739a3c83069eba49e94f6429d7e9000799df4525c05f6a8e1ff83260f23cb73f23e21700cfc5e6234dcd27616c3f3

memory/2980-282-0x0000000000EA0000-0x000000000135A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b77d77688e33b42336575d5d31ee785e
SHA1 c99bcb17fafebddef59342cab4bd29e27c911f3e
SHA256 681d21ab5b10475b9f1baca9fe08e6f334622bc64f647f0b88d949d6cbf162ab
SHA512 866f9ccd3d6954783e38c23bc01bc7092db2bfdd99e22fa7f04713eff49fe957ba444297c279cd5ab13be69dfd5d15be69d8e733ebdb7328e5b28665aa104529

memory/2980-299-0x0000000000EA0000-0x000000000135A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs-1.js

MD5 a7dfabbda24bed342633f628edddbc1a
SHA1 9e4d2463ffbdaa73aa4696fd3793ddd201cfc053
SHA256 453be4986f20fe8a29bd18e01601a343cbff9e6ef30811200f2117bda840dc23
SHA512 c01f8b25e9c01afa7e20164a8b471b89ce90df8c69d004d0ef38cdb9ee9649e69488592b2d21986a971febd5ff755ce30ce48a08404ad66c57b8c33a71c22eab

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs-1.js

MD5 1ecfe132189b8f03b358753bb90ac85a
SHA1 21c01e99ecdd9b51a1bf679c532abe596307be2a
SHA256 1aadc96abb320462e6ca3fe5c5ff2d6570811f11f860780beced16436e050d9f
SHA512 131966fd8297c75b977ec0f5379dc9b6b9c9aa9e7871dcd425a0c2508b2742a9fdb99a19a704bacbd41bc6e74bd9400c53405b130ceb24aad76e786c18d25ba3

memory/2980-381-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-384-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-385-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-396-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-400-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-401-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-402-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-403-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-404-0x0000000000EA0000-0x000000000135A000-memory.dmp

memory/2980-411-0x0000000000EA0000-0x000000000135A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 06:56

Reported

2024-09-11 06:58

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\9d5ed897e9.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\a7eca94474.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\9d5ed897e9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\9d5ed897e9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\a7eca94474.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\a7eca94474.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\9d5ed897e9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\a7eca94474.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a7eca94474.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\a7eca94474.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\9d5ed897e9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\a7eca94474.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\9d5ed897e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\9d5ed897e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\a7eca94474.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\a7eca94474.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 736 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 736 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 736 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4904 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\9d5ed897e9.exe
PID 4904 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\9d5ed897e9.exe
PID 4904 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\9d5ed897e9.exe
PID 4904 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\a7eca94474.exe
PID 4904 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\a7eca94474.exe
PID 4904 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\a7eca94474.exe
PID 4904 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 1488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 3436 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 3436 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 3436 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 4880 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 4880 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4880 wrote to memory of 3472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4880 wrote to memory of 3472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4880 wrote to memory of 3472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4880 wrote to memory of 3472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4880 wrote to memory of 3472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4880 wrote to memory of 3472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4880 wrote to memory of 3472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4880 wrote to memory of 3472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4880 wrote to memory of 3472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4880 wrote to memory of 3472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4880 wrote to memory of 3472 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 4352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 4352 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 1240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 1240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 1240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 1240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 1240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 1240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 1240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 1240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 1240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 1240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4352 wrote to memory of 1240 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3472 wrote to memory of 2892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe

"C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\9d5ed897e9.exe

"C:\Users\Admin\AppData\Roaming\1000026000\9d5ed897e9.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\a7eca94474.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\a7eca94474.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66d5d3f4-9722-48f8-9a65-a8bb246375df} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1de080c-fcdc-4176-8b9b-c6fd269bb3db} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb9a8546f8,0x7ffb9a854708,0x7ffb9a854718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb9a8546f8,0x7ffb9a854708,0x7ffb9a854718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3144 -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 3132 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53b2a2ec-b34a-46d8-b24b-f8bd933d2a68} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3616 -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3604 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14ae01a3-5a77-4da9-83a0-4f2580a6b594} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4540 -childID 3 -isForBrowser -prefsHandle 4532 -prefMapHandle 4528 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce19dbba-22b4-4aa5-b5d6-093f4c9a55c1} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5064 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2788 -prefMapHandle 5080 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69e0c841-7b32-47fa-8528-ac1d0c2c0f75} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,1366928157184829864,1037347526009546023,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,1366928157184829864,1037347526009546023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5600 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25937fba-0668-4ba2-9009-a67650f8278f} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5952 -childID 5 -isForBrowser -prefsHandle 5872 -prefMapHandle 5876 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c62a98a-ffb8-4296-979e-b7f542432b01} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6056 -childID 6 -isForBrowser -prefsHandle 6064 -prefMapHandle 6068 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {794f68c2-d20d-45a7-97f9-4a4dfcc3c21e} 3472 "\\.\pipe\gecko-crash-server-pipe.3472" tab

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,8164217213740951845,7845870023510113853,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.179.238:443 youtube-ui.l.google.com tcp
GB 142.250.179.238:443 youtube-ui.l.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.179.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 8.8.8.8:53 143.180.12.52.in-addr.arpa udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
N/A 127.0.0.1:52960 tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
N/A 224.0.0.251:5353 udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
N/A 127.0.0.1:52970 tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 214.80.50.20.in-addr.arpa udp

Files

memory/736-0-0x0000000000210000-0x00000000006CA000-memory.dmp

memory/736-1-0x0000000077614000-0x0000000077616000-memory.dmp

memory/736-2-0x0000000000211000-0x000000000023F000-memory.dmp

memory/736-3-0x0000000000210000-0x00000000006CA000-memory.dmp

memory/736-4-0x0000000000210000-0x00000000006CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 656dad33ed55f336051883f756e7d041
SHA1 83ff37e0f8badb060900511002fb14e8c4deade8
SHA256 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f
SHA512 ba950f704229070f0515b163630d59fbb9b2ba1b8b775259d84d3828713ab879880a1ee9baa4796898a29a941943868ec8ae111ba38c006fdefb9e12af81316c

memory/4904-16-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/736-18-0x0000000000210000-0x00000000006CA000-memory.dmp

memory/4904-19-0x00000000009C1000-0x00000000009EF000-memory.dmp

memory/4904-20-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/4904-21-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/4904-22-0x00000000009C0000-0x0000000000E7A000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\9d5ed897e9.exe

MD5 6ec533d4b68b9b65f45160ba3bfc9422
SHA1 488be541bd2b2e42770c9e2bae875f6f97f51cfb
SHA256 dbe5d0f7237469a486de479008f1abca3d06a8a2b0ad64f26453d00e63000258
SHA512 99ceac7775eb344221dbba859cc37834e9b553b9b6eb27fa6dc807b5b4fac8016b2802a66cfba6a4f092feb05443c6642cb3fcb400befacdaad3747c6ce46cfc

memory/4936-37-0x0000000000260000-0x00000000008ED000-memory.dmp

memory/3936-54-0x0000000000270000-0x00000000008FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/2240-63-0x0000000002650000-0x0000000002686000-memory.dmp

memory/4936-64-0x0000000000260000-0x00000000008ED000-memory.dmp

memory/2240-65-0x0000000005040000-0x0000000005668000-memory.dmp

memory/2240-66-0x0000000004FC0000-0x0000000004FE2000-memory.dmp

memory/2240-67-0x00000000058A0000-0x0000000005906000-memory.dmp

memory/2240-68-0x0000000005910000-0x0000000005976000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bid2skol.qnm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2240-78-0x0000000005B70000-0x0000000005EC4000-memory.dmp

memory/2240-79-0x0000000005F60000-0x0000000005F7E000-memory.dmp

memory/2240-80-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

memory/2240-82-0x0000000007260000-0x00000000072F6000-memory.dmp

memory/2240-83-0x00000000064F0000-0x000000000650A000-memory.dmp

memory/2240-84-0x0000000006510000-0x0000000006532000-memory.dmp

memory/2240-85-0x00000000078B0000-0x0000000007E54000-memory.dmp

memory/4904-86-0x00000000009C0000-0x0000000000E7A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0446fcdd21b016db1f468971fb82a488
SHA1 726b91562bb75f80981f381e3c69d7d832c87c9d
SHA256 62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA512 1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

memory/4904-106-0x00000000009C0000-0x0000000000E7A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 88452b5e9cd0eface35055506faea2c4
SHA1 ae842a5e6dea35afd24ae6043ee57f414a6193e1
SHA256 59f521b84045c868897acc9969ab106e923108c2faae5ad76a771eb0bf75bd52
SHA512 a530013e43a3a6fd95f06b530c346d4f3ddbe004226e613b720a77d675e608b3d003a8556c289cfb2caee79682426ef910bc2f0f91dac96e6b29b21b8814c4f7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 22e264367c8d556e19377a9d20487ee8
SHA1 c9e6512bb16df1c8c499ae876e30168a50a04e7b
SHA256 b246ff0bb1827a5b0bdd42ad28f52f1bb62e86ad0e3b5e9278b5908d2f0af309
SHA512 73cb1062e7ef10995484f27d4742f771f7634aab3aa44d911cd8d83245ebaa503b608964b03a92a4fe022dfcb0e89d33b02ecbfb13daa9a548d7134eebd96bda

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\3d576677-2e6f-45c5-88b3-458445182166

MD5 51a7702255e0a2cb4a6a96a9e1036d56
SHA1 61e6eb692d2fae38738d737bb572214296e986bd
SHA256 3b85e472b014eff3e6b42a707f0dfba9a8c7b1b8e5cde35420cd2b8272629a50
SHA512 6189c6891480493e3690eeb2c37fad6673cb469f04c31447381eaa4ff1ff8a003a7766ee452320c9b90caba87c553a5f482343028bc13a0d7089c6c26acc7d3f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 00fa40b6f9044996642f45b79cedd0a0
SHA1 9910e0d584b2dcbc8803bcea4bfdd772c34b4119
SHA256 fd6eb855d9339cd51b2275ea1ff11e97acba82d408d0c7c717fe9ef1ae9e326d
SHA512 5560ecb2fd382c32af9485f9ba1b512f53d42f8a82f3660dacca57c9aded75513c4d4446a1bbf07058e879ec9fba75e3d6316a348d4f7ba15b55e56285c63e4c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\d71c89bc-e39a-4fa9-ba36-85e0675c38cf

MD5 75cbe9ecdf7d3adf8de45c8babf00ef9
SHA1 fd4e7982235d3297fb700c3c421141fc2a5efc59
SHA256 1f3a151e8de45c55219d2a3286479afc471676244cd0702be041aaa99fd3daa3
SHA512 5c6477b28c40b3f137d00d339aba5193897e4e74d5855b7ee645ca28c4dcfdb20845f42b14457b4cfc05842b24564e4463c2232857d125c74535a38bbb94e56d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\778ddebd-2813-47fe-a124-e2b4d469a9a8

MD5 830eed5d690786d73f50aaf6ce2e722b
SHA1 c9081f60f58d6fb6e0e1f0cc30ef39ebe437eba0
SHA256 72f2a134d3cc69261a74e4c48831a7b5f6f0953a2b611364a6ce461cdf80ac6b
SHA512 7cf54d20770a6c0bd28afcb61fc2263b7f28ebeab0abe76aebcfea6a41f76400f38cf67a4632f4121e1e6e2bcd23d71cb96190cf05367572c699ba4645aa7504

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 af1fb2f579aa10bc84625fa7a24c6a99
SHA1 b6b08cae7a82b2527a4aa49299c83ec824b18e49
SHA256 2357a705698c8bcc868751cf237f68a1198bf01f836c93abdc565cf719559f76
SHA512 622156a1bc8820d02ecc8b42e16443b2a55b64a42aab6eb16c35f528ba9e201f9e2654251db6c162808d1c255fe5438d794dfe8d8a804986c2b8a9deb92a6366

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 cd809dc65ed8026e95c062961c6bac3a
SHA1 fcf10cb845d97618af2cc50a02d420f5bba8439b
SHA256 845a8bca36b1726654379ec37d70f199a508127bd5387ceae7afc5721f0333fb
SHA512 2b74130cd3126b9a580c5711a88e19df3e3d024ccec19962a057b3efed5f5bbb5837db4ee046db3d24bb19a55418850c527d0f9f5d1829d9e57eea1f541c0ed5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 da81bc4b305e006e9038364f13a948b6
SHA1 b9ad7ecdbfaac60c47efbba12c59d760ce7f5f7b
SHA256 6fe82a2ae34ba13eee71752eae4554716e44be69de685f86bb8759f116ed6fee
SHA512 6013e275c35a8bd08cf6a56ad3e8e76331d9d619f9af9e2cfcaf65b43971da981bbe68fa64bf1ba4edea0751251038fdda208c0cdecc11b8d0b63f503ea7ae52

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9b008261dda31857d68792b46af6dd6d
SHA1 e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA256 9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA512 78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

\??\pipe\LOCAL\crashpad_3664_SKDGPZGJFWTNMVFX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b3e85c659778e01f06205a7c6bdce9e2
SHA1 f970596f4707571c0c8add44c92064750efc1029
SHA256 2f1c878d46feb2ac5f125b9eeb400b4a47e82518dffec880cd4d424b7a3e401a
SHA512 ff87475243aac43157a3cf208675537d8b4f58edabf1343b8cb936332ef2ec6230106f82a75cd24ad75ff1518a835c03a8d8be2c61e847dcd79bed05c020aa19

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 007e9a5bd4ade48fcf221819e788d9e1
SHA1 1d64c80604e192c7ba3c4f8686418a5ea8662bcc
SHA256 774ba421896ceda4a4d38067d5c49af86a77025fe83ced2a996fb40c0ea1fa0d
SHA512 934e16a0eb78475e0339c30c21c9f697bee0f649cd7ed8c64b3ff59b6ba7733c03963848ebc1a2e2f75290c557d032a6e60d9d4509eea34f6af02ee8b5aebc69

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

MD5 880164e4396e24262425f48258550577
SHA1 1170946536b6f6c819d3b4f51ec0333bc1a8f492
SHA256 b6b392917e333078bd1bc998119c155dd567cc5962716f68082d237bfa2b2dbd
SHA512 2fa67cb236c02aeda7729ce59d4c10ccd67b61905826ec554f575c91aaefd18f9ba438a3ad41e50d4a06358b64b6f3d02e13f0a52edc1b5c45c31a32b612ce77

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 05ac0eec99b8e79aff3739baaa4a2b38
SHA1 b55e063ab5797003d4e18e5686f254789423ae5d
SHA256 daaae26918f529611f37906b4a387d049c04022e38e227d25481387eb0dda09a
SHA512 04d4b68df5afdb2dd7102ee1701cfe9396ffe84e4490a4a8a2d1c7369a6295cedb3ac681b533d1fa572d73a28650a5ebe2971846aa84ff4f2051e7f70ca6170d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json

MD5 adf52c247f1433ce50a906b48c31a392
SHA1 077547da0432c29e5491e80416b1400d47b92970
SHA256 7c2cfef5dab328f28774d9ba7deb94f285f7becdd6e833e7c92d5f88e7b1dbc2
SHA512 ecef2306d91d1e66a43af917bd6fd3d2f161d55c7e387f32163509104bd5350fa1694a6b35bf2eaa7a8ac78201e521ead033eb3224cbedcb6e258def75692ef3

memory/4904-483-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/4904-482-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/3936-513-0x0000000000270000-0x00000000008FD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 62218a968adfd2d2fefc181f2611b41b
SHA1 dcfba17271713d9e7c26e1260002e3a7da35779c
SHA256 4f51d7c8e548eaa6db26fe2f7c42b8534d002e7248511f616a7bcb729b287741
SHA512 8ea5147d15708d0ef663f359069fcc5c490e1f3fd45de0641bd4eb11302079dff64530b26d23f2e2ebb6239eefbabeff174af53af6685319aad9bacc6a36843d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9a4a474e319fe5072d8b9d6a5cbfd820
SHA1 f9dd2610d0dfe92aa04ca8eace45c8c0f416c6e1
SHA256 f1b8a229b80158e4e6d9ae9fce221234e4245703895ce8ecfee61260ecd45254
SHA512 4d29d6eb9c80116c20aae40499a8cac4712f19990748999d1fad51ba871f3d09206d99f285de8e5a66d333ab869cbd62bec5ea7dac15d154757d2343d608f325

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 23e17ba0dceb665305f3720643356b66
SHA1 d671629334e0bb0dcd704bda855695cb9d1f4fc9
SHA256 0d216a8e0752eda25745629ceb9535f734c3814aa6fd667f5ead0957b6ffb929
SHA512 e884e52cc6ad2e6bc231bcc8f3c7fec73c1fa3064fbd66791aca3aa2cf92fef694e06e77e8485c0e792239ae73f4d38596502a28a1ab1fd41a44a971ff49a395

memory/4904-667-0x00000000009C0000-0x0000000000E7A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

MD5 a870f31559a7b1cc83dd4452675837d1
SHA1 fd2c75ecba0874fd971e2b890432bf1c9dfc58c8
SHA256 7fd9a06bf969172a6aca448f3fed159b8c7e58b255d8210399ee59778c198e5f
SHA512 14a752cb0d3e70c45e997669dea74c97a3c81ce474f93446a13feaad64ce182f1984730f86afbc6cc43fad3bc61c5630a4575bf27dc60e53c7ae87ce9f5affc0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

MD5 115d8dfeb660d335d14688e9d9a044f5
SHA1 4f4c7df61cb1063ea24cac172590a5a1ef9b8735
SHA256 d327c83514de3e3d7c970109ba06b489cb8b34dc46f9a9b5de41b3319e19c327
SHA512 f47205f48cc68134f425ebe41a07ae4fb4c31bee92a3ae7373d485ec33937861499609a350c903dbd12e03749f5bfa8466a59c45a8277d3f7dc1c5b82104f19a

memory/4904-676-0x00000000009C0000-0x0000000000E7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 73386d9a9a8d8fe7da562dcc2a579f95
SHA1 8d6b1cb5b9ffa76dee57eba0cf8af953a458c6ab
SHA256 fc326e1d5852f812ea045bb21774419a53bcf469799321981bb9dcbb509fd229
SHA512 09d6a0d0f14494120858b08e254482a34c9e6646254199e32acd02daeedf16199f479d8e8e50a2d81a5b94bbbc2d6dea840d942b9ba83f4ab43cfcc1365b9175

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 86374ac2571284f36703b664faa4cc8a
SHA1 bafbea3cb15cce43cd6ce111cf75d106ff342060
SHA256 85d296fd43b3557d7c7e14fa3001412afa0eeb0cb6d11626eebd33a37df8dd32
SHA512 fa993fdfa83ceb41bd45d4235654543717b76703014089363f0679d9a5510bf3b44e5a380ae662a12a62264737c6059ab9a678cff4d293d433483799a3981648

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 6f78e76486383cdd58dc767f9eff39b2
SHA1 6281df0a1bf33cafdfd3ceb201c552506483f34c
SHA256 4971bc4e54a3c6c84f9ab233ffb125a4f457af00c27345ff302a6341d0ed41a1
SHA512 795ff7bd7a1dcc86c0f53944e58dca018e27fdfbd27ec11d11f2b2df80dfd325f5c3be14de715dafea243d1af8acc1fe9ea0ad9f173f57711f48d1825bd91e6d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 5239be90cb256801218c38e9c0627b31
SHA1 281bbff8cdd3fc4edb09621a60d449da12e196da
SHA256 2192ef9d7d22529aa035b5523665acd479111df0ba23ba3fb48c4727b47515e8
SHA512 3920cf4d344319f8fd4e44426302aaaae54223d1150ce4684109971a1c6b9394b19c3c4d3a240f9faff752f22be34b650ff0d7e2a507eebd2b5ec59e0c6985fc

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 502d4b574bf2e1411f11474ecc7510fc
SHA1 5b3933078636ae53617cb44972e0e9961e5c9ed2
SHA256 2efbf447798f4e5697dee9df8df25210ef344d2a15df842afdc46b7a15c0d2e0
SHA512 6d2ac17c080ced9284d337023da925f731a8e0b1d34665f90177c3d11936cc981a9d3f4eb0e67c1ff11226a6752b07661247c62000464b0ddfa7262b7f63ae37

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

MD5 d2727bf759a3b371ff0f9120b58efdae
SHA1 154b651aa5bac1809e3bc642046b177d866cdef1
SHA256 f5d939e05e84893106c218af100042fdfd95154ed13a347fa1ddf79ed6abb3ff
SHA512 2e495a2a1634aa4bdc2a17e867c7ed69c13b7f7c4d7b1f4e8da2b79823ceb0296e8b01edbe7102c8690a683e0898b4b63b75522bfcf412ebd4f16cec14b11c6d

memory/4904-2378-0x00000000009C0000-0x0000000000E7A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

MD5 f79245255994f12bc46487c3dfba74cf
SHA1 4cf4b8e8fb4e940a2f13b5dfbbf5ae31435b6498
SHA256 5330c34100a473cc9a454bb19e5d1c11bf6a7d2de5a257a573b648bc56f41405
SHA512 34351a780dd3ae1bfc0a3d6681bc2e5125eba3827dbcb6ada07ba61103a537f8e500b90a7ce8422d9aed77fba0dbe25d4bd29c0bffdcc12a65215aa351f8e7ac

memory/5452-2571-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/5452-2618-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/4904-3302-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/4904-3597-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/4904-3611-0x00000000009C0000-0x0000000000E7A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

MD5 707bd3a208df854dffffda76f2b30931
SHA1 e3ca67939fb484c9e0858e0bbe8cc1d1d7cc2ec4
SHA256 9da37cb7f478f5e87521f85ad94d3e1238f2dcabeae0f73e3f91778c2006661f
SHA512 f1694a9fb64fe285b6c35ede180c27900cb4fa3a8b8cf3a13d81f23ba8d6c665f8b9f5a57de33092d6f04de8efe6be7be754dbb6c68aa42508f9c84384cd926e

memory/4904-3631-0x00000000009C0000-0x0000000000E7A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 120abb2b2d9a6edc9563be716b56d332
SHA1 98eda72c3d75990b8384b2dfb5ae9289eb605801
SHA256 37f420fb18fd72b94614af65eef18870eced24df5ee536b5f20f82177654c91d
SHA512 263f0454463b14884cc91c64ad0c5d631a351ec85df2877def34ea6d246fe5304d2dc1c85ae30eae05cc2eb51c63cd3ddd947fcb8b36624a5c27b472c6556eae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f94f.TMP

MD5 b9203649ceec009bfecc7d9f907bc02e
SHA1 98202fb54b72581099a201884d7af7c92c63aa6f
SHA256 a057c34ab10c8605550d938343c7191b0b8189e29e19f1e35c3983da30a54b3f
SHA512 9cc6e993881a2ca69bbd9802e439bb34cefd9cc78d38d1c7a020a9882e076754acc7f4d57f2c6ff639cd37adafbf0a181c5df7d3ffec629fd6213b8f5d7dc1ae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5be4cbf751be312ad68e7e05b915ce78
SHA1 0472eede2fe8e2b29b243c2d06191f21d2119c00
SHA256 3e429a712c2738a9d91d9b1f01827bfedbd6652bf960b10c527c0f712018cbd5
SHA512 7e56b5a129bd67aa7432bab16c7f51f739a96aed0814668b5a5e0eed06bb6b836d6b03fe2daff6be035950ef13eb825d710d35dfb13ea3e37f84910235da127f

memory/4904-3646-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/4904-3647-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/6692-3650-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/4904-3651-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/4904-3652-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/4904-3661-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/4904-3662-0x00000000009C0000-0x0000000000E7A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8ae62e85a4430dba38cd142113ae5556
SHA1 9c4f0e433ffd9b44d740227d94b7e350eb39b80b
SHA256 3afc0858212d70512b873bc9abb9c786408886c44c0427e566d6284358c14c8f
SHA512 f8190ce6e7d1838a0f5edbca1fb5c556b988c2498e02685a0d49a0a6cfc3b6c3360e5acfa42e8e5e269202390e9572e6d8c604626403f5d5411c2ff692c5a720

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 871e65b53dddfd24ee74da1835aaba31
SHA1 72d5a563fb72e5cfec58655884b05893f2da837d
SHA256 3ab4a2a74c70289bc3e740c129aa81c985aef16fa8525e138c97a0849cd5b3d7
SHA512 61230821aac67e6dbadb43afdee632c4e964aa1a596e86782f6b39854e48a3fff42e7883ae6d9ec47f21acca637bb5c077369862819b240ccfa1f265fac6a1c1