Malware Analysis Report

2024-10-23 21:52

Sample ID 240911-k4m4catbrh
Target be78f72a1d60ea77948a7f42855ef3c0N.exe
SHA256 0b5f4f1dbf0a3a1793f41bfb16c533bcc7cc656772b4cadd77a3e04f6e312325
Tags
amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b5f4f1dbf0a3a1793f41bfb16c533bcc7cc656772b4cadd77a3e04f6e312325

Threat Level: Known bad

The file be78f72a1d60ea77948a7f42855ef3c0N.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 09:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 09:09

Reported

2024-09-11 09:11

Platform

win7-20240903-en

Max time kernel

112s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\d9736386bd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\b6c929dfe6.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\d9736386bd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\b6c929dfe6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\b6c929dfe6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\d9736386bd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\d9736386bd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\b6c929dfe6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\d9736386bd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\d9736386bd.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\b6c929dfe6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\d9736386bd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2532 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2532 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2532 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2532 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2756 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\b6c929dfe6.exe
PID 2756 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\b6c929dfe6.exe
PID 2756 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\b6c929dfe6.exe
PID 2756 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\b6c929dfe6.exe
PID 2756 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\d9736386bd.exe
PID 2756 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\d9736386bd.exe
PID 2756 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\d9736386bd.exe
PID 2756 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\d9736386bd.exe
PID 2756 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1564 wrote to memory of 808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1564 wrote to memory of 848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2572 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1404 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 848 wrote to memory of 1752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe

"C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\b6c929dfe6.exe

"C:\Users\Admin\AppData\Roaming\1000026000\b6c929dfe6.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\d9736386bd.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\d9736386bd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.0.2078002829\2097327821" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20769 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebdef71b-3d70-47a9-bee3-f46e3255f671} 848 "\\.\pipe\gecko-crash-server-pipe.848" 1292 120d5b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.1.1485926050\638850840" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21630 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c34da12-c10b-4b5a-b6a1-4868f2e65b88} 848 "\\.\pipe\gecko-crash-server-pipe.848" 1496 e74558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.2.1779720031\2040582800" -childID 1 -isForBrowser -prefsHandle 2080 -prefMapHandle 2076 -prefsLen 21668 -prefMapSize 233414 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0892d43-7717-46b6-9b68-d7c05418cd38} 848 "\\.\pipe\gecko-crash-server-pipe.848" 2092 19d94c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.3.153809325\1182967402" -childID 2 -isForBrowser -prefsHandle 2876 -prefMapHandle 2872 -prefsLen 26138 -prefMapSize 233414 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0520239-1461-4b97-a6f4-a14652e57415} 848 "\\.\pipe\gecko-crash-server-pipe.848" 2888 1c6a2558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.4.1926757468\1238999506" -childID 3 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 26273 -prefMapSize 233414 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {360c707a-1855-4f8a-8caa-ccbe2d21580a} 848 "\\.\pipe\gecko-crash-server-pipe.848" 3716 1cea2658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.5.234357403\1311322637" -childID 4 -isForBrowser -prefsHandle 3832 -prefMapHandle 3836 -prefsLen 26273 -prefMapSize 233414 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9ba8601-83ab-4d48-9ea6-c6e759498623} 848 "\\.\pipe\gecko-crash-server-pipe.848" 3824 1e203b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.6.831638863\563841209" -childID 5 -isForBrowser -prefsHandle 4000 -prefMapHandle 4004 -prefsLen 26273 -prefMapSize 233414 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3341e14-ace3-45c4-b5dd-f3e425816f4d} 848 "\\.\pipe\gecko-crash-server-pipe.848" 3988 1e206e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.7.1661584109\391365625" -childID 6 -isForBrowser -prefsHandle 4400 -prefMapHandle 4388 -prefsLen 26372 -prefMapSize 233414 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88111f5e-3bba-4a17-80da-7f7f03c11d4e} 848 "\\.\pipe\gecko-crash-server-pipe.848" 4412 218c9b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="848.8.1263012408\180278821" -childID 7 -isForBrowser -prefsHandle 4524 -prefMapHandle 4528 -prefsLen 26372 -prefMapSize 233414 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e53436c-67a5-47e4-9e91-c47e65211724} 848 "\\.\pipe\gecko-crash-server-pipe.848" 4512 21c78258 tab

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
N/A 127.0.0.1:49277 tcp
N/A 127.0.0.1:49283 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 216.58.212.238:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 216.58.212.238:443 youtube-ui.l.google.com tcp
GB 216.58.212.238:443 youtube-ui.l.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.179.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.212.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 142.250.187.238:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp

Files

memory/2532-0-0x0000000000AC0000-0x0000000000F78000-memory.dmp

memory/2532-1-0x0000000077C70000-0x0000000077C72000-memory.dmp

memory/2532-2-0x0000000000AC1000-0x0000000000AEF000-memory.dmp

memory/2532-3-0x0000000000AC0000-0x0000000000F78000-memory.dmp

memory/2532-4-0x0000000000AC0000-0x0000000000F78000-memory.dmp

\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 be78f72a1d60ea77948a7f42855ef3c0
SHA1 549f7c062fdc74ec8d7a544fd66c69fa8769171c
SHA256 0b5f4f1dbf0a3a1793f41bfb16c533bcc7cc656772b4cadd77a3e04f6e312325
SHA512 cbbba53b749d189facb32f853b73fb3d63eb6edc6e7aa31f16feaef75859bf48b059cd72bed6704696b657452c04d88a448153027a0a8471ce83ed8a2d397da1

memory/2532-15-0x0000000000AC0000-0x0000000000F78000-memory.dmp

memory/2532-16-0x0000000006C10000-0x00000000070C8000-memory.dmp

memory/2756-17-0x0000000000B70000-0x0000000001028000-memory.dmp

memory/2756-18-0x0000000000B71000-0x0000000000B9F000-memory.dmp

memory/2756-19-0x0000000000B70000-0x0000000001028000-memory.dmp

memory/2756-21-0x0000000000B70000-0x0000000001028000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\b6c929dfe6.exe

MD5 2436f5bc4146385648a72a27897ab578
SHA1 daf603434b49d4bf2866a3f53069845f05130fcb
SHA256 aee2dcc810b97f1bd7809146f7f33887e806561329c0b6288ecb1d315e4f6740
SHA512 e32cede58485391ee8621b939f28e7234095391ad67f944929b8475528f8a08f801d3997138c0935f40d17ec3e703d0d499e7427bcc570102636e1ea8cff2a92

memory/2756-38-0x0000000000B70000-0x0000000001028000-memory.dmp

memory/2756-40-0x0000000006890000-0x0000000006F10000-memory.dmp

memory/2756-42-0x0000000000B70000-0x0000000001028000-memory.dmp

memory/2664-41-0x0000000000E10000-0x0000000001490000-memory.dmp

memory/2756-39-0x0000000006890000-0x0000000006F10000-memory.dmp

memory/2756-59-0x0000000006890000-0x0000000006F10000-memory.dmp

memory/2756-62-0x0000000000B70000-0x0000000001028000-memory.dmp

memory/2756-61-0x0000000006890000-0x0000000006F10000-memory.dmp

memory/2900-60-0x0000000000320000-0x00000000009A0000-memory.dmp

memory/2664-63-0x0000000000E10000-0x0000000001490000-memory.dmp

memory/2756-64-0x0000000000B70000-0x0000000001028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin

MD5 8f0ab99a461219c1849fadeb726566f3
SHA1 c05c318ce30ca395116614154b58ff16c7d705e7
SHA256 8221e3a0120803eb3a217bfc709c033152cc60c5c1216281d41fef55afa51e9a
SHA512 feebfe8f2603dff4eea139222501aa34011629d14a5ebfd4b28284102ca61a6d5d399b540f2684881cd180b342886376c08ca91621a6f625ffb0947a85069392

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\9e1f0e18-43f9-449f-b22a-afde2fc62198

MD5 d940803ef13814ea1e6b281e3a36ffa3
SHA1 7a95e6ada78c3e29ecae0960c35a8005e8bf7a53
SHA256 c6ae5958d948fd6f2fc436ae845879096362b2febf4e3bf639dc948cd4fbcdf9
SHA512 17f9c8e61cf54724c192d8980725614e310929e3dcf494151cd3440d2b5d7281fdb8b029f7925959546849146670ff1e65a77cd4d34c6cc23719bb5e5808ace2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\73c7fbd5-1315-4ff9-837d-55c528ef99d4

MD5 ff17d2a5bed6abe4e15f67f3638de22f
SHA1 c0d8d783a4b2c36da28a736869882b226fb7da1a
SHA256 cb0a28bd21d874bd3f3defdcbe2cc0d54e42178f47b126f173f200b77b7b800a
SHA512 9ee4b3ddf7b381479acfb22ecefe0cbef6371e39f9c48b4743fbd94712461dc42c7d188d38f4fbbefbccb61c911a6c0a0937ffa1c43914e48f4a21b634a28423

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js

MD5 101fb54e0ec85dab240bff27fca9cf65
SHA1 a9af29dc51abcfdf7875162bb1dc845e08905af8
SHA256 5a6835c14f4752453c62811b8e3b584bf35fa0f13a89a746e1f56b34a3ea2f52
SHA512 2cc6b7662e4a36657806465410381a02d09b0984f839265bd3b86f65eef40ba19e2367245731bdac65ca0f62389e60e272b2e810c8c271f12a12f6d3eb2e93a6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp

MD5 d5f150486a9e0ec09edfed27b8bf9e5b
SHA1 9ff5512beef2c74a8f90dc3af76c68d7d126afd3
SHA256 502f92fb504823be8f5a23a5f29fbfb7a0af2707b4f5725f6df4dfa9ea6f7980
SHA512 ae709179bab25846b67bff79d2acc995128b989e53ab0af5d6f8ebefceb51dadb3147a6572b60c51fae769ece6c0cd8292381ad3c185479e2cdd4236f595423e

memory/2756-191-0x0000000006890000-0x0000000006F10000-memory.dmp

memory/2756-225-0x0000000006890000-0x0000000006F10000-memory.dmp

memory/2900-226-0x0000000000320000-0x00000000009A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d965c873742f2df2541d02e5ee5e5333
SHA1 78d8bb1c59c7665c8e5641fb423b431ec7d4bb9e
SHA256 16fed6e78bdc4304c23753909213a744d7974d06179c9849642a36dddcd0492a
SHA512 586b4d3d0e061ffd021779ca525245a2c60817ca10551c021d9c4f201c66979f8d5561fdb83939ceb990a2fb921ec506acb1a34b5869a481e7f73932ac6db9a2

memory/2756-241-0x0000000006890000-0x0000000006F10000-memory.dmp

memory/2900-240-0x0000000000320000-0x00000000009A0000-memory.dmp

memory/2900-256-0x0000000000320000-0x00000000009A0000-memory.dmp

memory/2756-262-0x0000000000B70000-0x0000000001028000-memory.dmp

memory/2756-275-0x0000000000B70000-0x0000000001028000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4

MD5 eb9b608393446abbeb1ee3a5d16d4990
SHA1 0c9b6bd44419d844df2d50e602300e04233e6f40
SHA256 c5ecf571e7ee871952e112f54c6d1e49a52bd6472e6bfa4ae589a23aa1c00d61
SHA512 c8077aba8ce8635be6abd6022755c3668750f3953f81b68d87b15139cfe5b8edd41d865d29c04be4ad55290b9eb27d11dfbac6c3ba2c0998120d8e3b055c385f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js

MD5 bb32e20b707fb0565d11334e471b4da3
SHA1 f55484c7471564e22eac54d3fe0527a010c24f39
SHA256 61b0af3cd64553a538821edd7dd16a9cd1bc3cfa1f63ba272550e653613535f6
SHA512 f56d9f43b8b25ccdcc6e59c70b72841777fce7c0f61eada662ca4efc81bbda4c16793ca0253049003ecf0608bd8aed42e28eedad7562c2f94129386393633359

memory/2756-304-0x0000000000B70000-0x0000000001028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js

MD5 391aa717adc573f884394e78b4ca6418
SHA1 e4fdd9e1d5af8f4e0e272c0ee5ee1214276360b1
SHA256 ed0dd5f4192e2fdb4873914d0de06e69b8b6f206855cd2e1a726c656c457c797
SHA512 7a11bcdb28e5131783accfbf1366c3d1c15f3b195184137a0fd8334288815210384855728c3069dc472d2868c6187eb363cf41f7f14ceac8f2e37c22e0af386c

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

memory/2756-371-0x0000000000B70000-0x0000000001028000-memory.dmp

memory/2756-372-0x0000000000B70000-0x0000000001028000-memory.dmp

memory/2756-377-0x0000000000B70000-0x0000000001028000-memory.dmp

memory/2756-386-0x0000000000B70000-0x0000000001028000-memory.dmp

memory/2756-389-0x0000000000B70000-0x0000000001028000-memory.dmp

memory/2756-390-0x0000000000B70000-0x0000000001028000-memory.dmp

memory/2756-391-0x0000000000B70000-0x0000000001028000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 09:09

Reported

2024-09-11 09:11

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\7499298041.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\391e8dadbb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\7499298041.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\7499298041.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\391e8dadbb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\391e8dadbb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\7499298041.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\391e8dadbb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\391e8dadbb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\391e8dadbb.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\7499298041.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\391e8dadbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\7499298041.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\7499298041.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\391e8dadbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\391e8dadbb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4780 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4780 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4824 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\7499298041.exe
PID 4824 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\7499298041.exe
PID 4824 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\7499298041.exe
PID 4824 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\391e8dadbb.exe
PID 4824 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\391e8dadbb.exe
PID 4824 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\391e8dadbb.exe
PID 4824 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4336 wrote to memory of 3708 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 3708 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 3708 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 1132 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 1132 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 1132 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 3936 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4336 wrote to memory of 3936 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 3480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 3480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 3480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 3480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 3480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 3480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 3480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 3480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 3480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 3480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3936 wrote to memory of 3480 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4336 wrote to memory of 3108 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4336 wrote to memory of 3108 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3108 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3108 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3108 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3108 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3108 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3108 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3108 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3108 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3108 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3108 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3108 wrote to memory of 4436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3480 wrote to memory of 4788 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe

"C:\Users\Admin\AppData\Local\Temp\be78f72a1d60ea77948a7f42855ef3c0N.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\7499298041.exe

"C:\Users\Admin\AppData\Roaming\1000026000\7499298041.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\391e8dadbb.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\391e8dadbb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30bae5ac-face-4b82-8f67-f40e8360e44b} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf3ca45e-5eb1-4bad-9921-a9b2dd0dac68} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f9dd46f8,0x7ff9f9dd4708,0x7ff9f9dd4718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 3120 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac2acf0d-1319-4715-ae23-cb648a31eaec} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9f9dd46f8,0x7ff9f9dd4708,0x7ff9f9dd4718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3556 -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3544 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3372a84-d90e-47ad-8aee-9f3fe7d57369} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3984 -childID 3 -isForBrowser -prefsHandle 3972 -prefMapHandle 3968 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4d4e2b8-6b9f-4f3f-85e1-00df9af648c9} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2844 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4932 -prefMapHandle 4928 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5d59b1e-7bf3-4b85-bd64-4d5f4dec0fa5} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,4995195764376258884,7385093694108194620,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,4995195764376258884,7385093694108194620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,4995195764376258884,7385093694108194620,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14199714472989654845,6352548136531364158,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,14199714472989654845,6352548136531364158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4995195764376258884,7385093694108194620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4995195764376258884,7385093694108194620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4995195764376258884,7385093694108194620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 4 -isForBrowser -prefsHandle 5756 -prefMapHandle 5752 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d1c9162-d051-41d6-a56b-d044de2da79f} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5892 -childID 5 -isForBrowser -prefsHandle 5896 -prefMapHandle 5900 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32d3b8b7-d10f-42eb-a9c4-4a3622cbabdc} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5892 -childID 6 -isForBrowser -prefsHandle 6064 -prefMapHandle 6068 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d54d1a61-f2f6-46db-876d-e1f08dec493a} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4995195764376258884,7385093694108194620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,4995195764376258884,7385093694108194620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,4995195764376258884,7385093694108194620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4995195764376258884,7385093694108194620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4995195764376258884,7385093694108194620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4995195764376258884,7385093694108194620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4995195764376258884,7385093694108194620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.200.14:443 youtube-ui.l.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 158.124.235.44.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp
N/A 127.0.0.1:56879 tcp
N/A 127.0.0.1:56888 tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
GB 142.250.187.238:443 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.238:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 238.212.58.216.in-addr.arpa udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 216.58.212.238:443 play.google.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com udp
GB 216.58.212.238:443 play.google.com udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/4780-0-0x0000000000AA0000-0x0000000000F58000-memory.dmp

memory/4780-1-0x0000000077174000-0x0000000077176000-memory.dmp

memory/4780-2-0x0000000000AA1000-0x0000000000ACF000-memory.dmp

memory/4780-3-0x0000000000AA0000-0x0000000000F58000-memory.dmp

memory/4780-4-0x0000000000AA0000-0x0000000000F58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 be78f72a1d60ea77948a7f42855ef3c0
SHA1 549f7c062fdc74ec8d7a544fd66c69fa8769171c
SHA256 0b5f4f1dbf0a3a1793f41bfb16c533bcc7cc656772b4cadd77a3e04f6e312325
SHA512 cbbba53b749d189facb32f853b73fb3d63eb6edc6e7aa31f16feaef75859bf48b059cd72bed6704696b657452c04d88a448153027a0a8471ce83ed8a2d397da1

memory/4824-18-0x0000000000280000-0x0000000000738000-memory.dmp

memory/4780-17-0x0000000000AA0000-0x0000000000F58000-memory.dmp

memory/4824-20-0x0000000000280000-0x0000000000738000-memory.dmp

memory/4824-19-0x0000000000281000-0x00000000002AF000-memory.dmp

memory/4824-21-0x0000000000280000-0x0000000000738000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\7499298041.exe

MD5 2436f5bc4146385648a72a27897ab578
SHA1 daf603434b49d4bf2866a3f53069845f05130fcb
SHA256 aee2dcc810b97f1bd7809146f7f33887e806561329c0b6288ecb1d315e4f6740
SHA512 e32cede58485391ee8621b939f28e7234095391ad67f944929b8475528f8a08f801d3997138c0935f40d17ec3e703d0d499e7427bcc570102636e1ea8cff2a92

memory/3044-37-0x0000000000EC0000-0x0000000001540000-memory.dmp

memory/3044-38-0x0000000000EC1000-0x0000000000ED5000-memory.dmp

memory/3044-39-0x0000000000EC0000-0x0000000001540000-memory.dmp

memory/392-56-0x00000000008D0000-0x0000000000F50000-memory.dmp

memory/4824-55-0x0000000000280000-0x0000000000738000-memory.dmp

memory/3044-58-0x0000000000EC0000-0x0000000001540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/4824-66-0x0000000000280000-0x0000000000738000-memory.dmp

memory/4336-68-0x0000000002770000-0x00000000027A6000-memory.dmp

memory/392-69-0x00000000008D0000-0x0000000000F50000-memory.dmp

memory/4336-70-0x0000000005240000-0x0000000005868000-memory.dmp

memory/4336-71-0x00000000051B0000-0x00000000051D2000-memory.dmp

memory/4336-72-0x00000000058E0000-0x0000000005946000-memory.dmp

memory/4336-73-0x0000000005950000-0x00000000059B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eljx5k0v.hjm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4336-83-0x0000000005CC0000-0x0000000006014000-memory.dmp

memory/4824-84-0x0000000000280000-0x0000000000738000-memory.dmp

memory/4336-85-0x0000000006090000-0x00000000060AE000-memory.dmp

memory/4336-86-0x0000000006630000-0x000000000667C000-memory.dmp

memory/4824-88-0x0000000000280000-0x0000000000738000-memory.dmp

memory/4336-89-0x0000000007380000-0x0000000007416000-memory.dmp

memory/4336-90-0x00000000065B0000-0x00000000065CA000-memory.dmp

memory/4336-91-0x00000000065F0000-0x0000000006612000-memory.dmp

memory/4336-92-0x00000000079D0000-0x0000000007F74000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 847d47008dbea51cb1732d54861ba9c9
SHA1 f2099242027dccb88d6f05760b57f7c89d926c0d
SHA256 10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512 bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 a7b9564e4f1d1c0d655b0d93dba9f7db
SHA1 20e34f8a52f155586f16156ba44891788045eb19
SHA256 bef1f6eab39281df41ec1f067290b8f0c855a6a20b5bb2b9971cda004b9635ff
SHA512 60cfca857b7d6a2b5055c2ecf4f28d6b82cdb0214f5c2434d5601c45f6772e12862aab5109a324ff0548a853be2a53ff8d1256953a69f259e076a275a8fabe5d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\f3106aa6-fd38-4f52-83ab-653ebb6d6976

MD5 c898f97ea7179ee5ded61d15c61c6b95
SHA1 d62ffe862bf09613365b10c6037a859cf2d57583
SHA256 aecadb16914e691a318bf1740ad55639e28c2b5fefe7d095043fe1cdd7fb8681
SHA512 dc46ec7376ffae7cd3b8f3a792ec0f10f6d0a571b1ca0a6e5dc72efc02ec71d2ff37b049188eb7d395df7703521f7be9b9490ff4b0e771d0cca89351fc166d09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\162e1489-8e67-4735-b30e-eca8a0af190e

MD5 8cba801e44c5131a141a90d1b707b0d3
SHA1 2721644a6106befe20bd0bbb766533c53b7c380e
SHA256 6d126b6123a4f51b9b86a12b63cf60ac0fde222ce85ecf4917c1920388aa1fd8
SHA512 c66d86b56ee529ab511e6dddc473e78dc2b475d1788e390badf2aa0c8bbc0e5ed481421f4de89623ee2ec5a7a037bb582ff19265b6d6d82de959d14f8dcb2ca5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\01d0672a-4c32-4bba-abf5-4b2da70d005f

MD5 56721133608f37820e5b1400b5a8df1b
SHA1 ea560627a3c8747d60006f3fbf7274c14cb4f560
SHA256 b7cbb3a201997978ba43201cc73dc3108bdd81a736da06921e5fc993f65e2950
SHA512 c670bd3ec6da51fa48c6f5b19a41af62cad60bd2cab427c5b8443a3d1898a107536c40de6cabdfb841afb6a09b454ef15e7471130c3b24139a6e1d021420ec09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 d5794ffa322764f0566d4fb48eb6ef0a
SHA1 dd4765b821c9073dfed1ba1e648712ded2ad01b4
SHA256 a0433417ed92ff409cda7f7895ccfa4c334bb7fbbeea94eabad55320fc64fb38
SHA512 e77649555903718a04e122a175b727dfc79fd43c1dbddad18dfc0889e6701a626390cd4ecc3a3647c824a29a7a5cc18ad5e2c1a55c443570964af0adb8e35b5d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 0858c817b1070f1e765c8dee383217fe
SHA1 9d1359e988aaa08e5d0b1cc87cc0ad096fd5670e
SHA256 e5157506ce78208b60d78755e8fd5cede3673e4601e54033664dca3965b9f563
SHA512 fe874a9379bc8f922fcaf877c7410f51bdccba2bef6cdfa1b65d06d35bf5d89c21a4527cb9b26dd65d07779021128c63c699f2b2e424add08b22ef25807dc815

memory/4824-365-0x0000000000280000-0x0000000000738000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f9664c896e19205022c094d725f820b6
SHA1 f8f1baf648df755ba64b412d512446baf88c0184
SHA256 7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA512 3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

\??\pipe\LOCAL\crashpad_3884_GCDDUANRRLOMYZZC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 58c1b7b54e982165a81ca879bb28188e
SHA1 6102bb6822e1f8006f83b8e78441087e46e13220
SHA256 64644b555e50e1d5ed4d5d18e3481aa6d1ccf3eb573d1e63b064f25e67a46989
SHA512 711e4c712271d2e1abed598c761be4ce30b03ec84d1197da194132d654a85a9a4d053fd880e6c01b5e78064daf66b4b1f46a136592651cc4e369df329f9ef869

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

MD5 3b93f6244d44cb33dce9bab0d8e93a53
SHA1 d642e65b852bbd2b56ab3332f1ce0e7950b09a69
SHA256 02d40c6f764e46978fb4bd8b324e2f97525c4d3d8b5af7f5054a0edc94e07396
SHA512 fc7ff071bf7fd1269e91af7b7f8ccafb7784b5f722d596a1c067c9ec737e1dfda0e13a5efa222e0c7d1c6589e20e19e6cdfc8a9cc23ca1a6bb7741bb2c158d05

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 87022fba6265b83f865dad9f1be32af7
SHA1 3f33d9831d7045eeaa0e780c98557427b411e4e0
SHA256 0694f2e853e083abc82a91a3de2499e207873696cd4e40ea4c52f363bba5de34
SHA512 49b8a6dca72b13069a78ea6b9ae45ef8e6531823876155477afb30a18584f78da768cbd67b04e1da4f9b74ddf22cbd1cb10a8225da59dc1858b6aa0bf36d8c31

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 916262d25c1591e16d10206b74c8053b
SHA1 51896428fde79368d6d59af179a83f1e4d01277c
SHA256 6031f3c507cd0ec2a80363a05225551ca48fbd51f8983b2e9b671e1c5fc05a6f
SHA512 03f6d6664094179e35130eb9926f97278804ea3dc89717630a734b4beaea2a408a13d844bc507aabb39c8eeb939071f78ab460f39e1ad75805e340b4404b3087

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json

MD5 8824336fdf486e29b29d51583168e9e7
SHA1 735abb210938c9b3232485bdfcc44b820dbacbdd
SHA256 e1be5a8d495e99d01db9ab2ea0203faca70ede41db20f3a099e525b24b6e996d
SHA512 fc7f0bc72a14d08344a91151c6b87234a03aa7e239a2acfba321741b4cd16e69956ab4984927cddc59b51ea87c4bbab2ad72c212b4dcf863ffbe3949aa33231e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 5ef5bfea1d102b2affc855082db1fdc7
SHA1 81856b915764e4604135182d559831e6d40c407b
SHA256 7d92c04d7abb4ffe486e7151b351b12d8aad18c61f9266445113ce38975bd7e7
SHA512 8a19d09fe80437db751e5f6f4160af21f7d6fff528d4122053b5e5babd34ce3847f7cbbd0e2873b5c1eea3a85cc79763b87309078eb539d410d4ba032b0a48ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 8e3a3ab3bfdf0acda258adfe44f73bf7
SHA1 5def226ffacc2024ca6aa0bc7aa0e04a84532884
SHA256 fd5166ff2e0ced076b704c0f556462a380f174f74149930665f5caa8f9b7ac3b
SHA512 1de4f3f347fa8f514d0a673712cdefc3c3ede8dc76721831d8f7253445b5b6edb0fe07613b30adf368d67ad8894e30fe5444b2ddd68e48d9e5a1a336cfbfe0ea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 27655f345bf268ca894856180ecbe7bb
SHA1 a343feb712012c71e01d9579dcab807c73070ece
SHA256 0698e78840f24f37137f736c14466cf721c580faa9141941017bfdb832eb7fd3
SHA512 2a72e4fb3507f60d0c215246f5ac25a4d195591331d009167e33bc0cc6548894790cc4d666b9275011f141085001ac52fb6b662ec95038187768b479950ab6ea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4824-644-0x0000000000280000-0x0000000000738000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 49a93d56fb540dca1f63c4e1ad42e0b9
SHA1 90a42624d3f2f84284edf4ca1a26b93e63f9b84e
SHA256 aadb1f64bc247c58ad723554c0954017bfe78681df57d047a54cb179d7f37d3a
SHA512 6255d9d99d73063ca856a5f2600f2a4d3ffff4966f842952ea2a5a6bde544c5018368168053213efedc66e6697da55d668877b111930aa75626129edcf1e0cf0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 de6ae683e1a97cc195d2f50be66e4ac2
SHA1 f1d07ef2c2b60930183112d37f6d8564990e1425
SHA256 00fe7138857741bbd97e17fcbde207ab025b5d1ec0b045476cca7a7626fe19db
SHA512 f14ac7fe878a5d960fb8f3b7838e0182eaea068e8217e6e4c18a6c07ff93c802ba1c47f5eb6146726f39b5737a2c0b73f0c3774550ba14538ec2f84a18fece86

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4

MD5 d3d7e133cfb7fda0fbed703133a1b92b
SHA1 61c7a65dd15c03476e7bdbdd80ac76c9ae57abd5
SHA256 69aff1f5bb1186f6c80f25633ac48fa768f47a591c9cf686f4573c56df90c658
SHA512 719b36a9218f6dba3a0bec30b42a28aa83475210ce4b8df3f67d8e77507407c3dedde406105ede417bdc59f9debbd28bd0992fcf7005b4dfeccfaef901b650ca

memory/4824-692-0x0000000000280000-0x0000000000738000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 24958cd3ff8a22d1c0043a04b2cfa428
SHA1 ad033412e9f97415dad65ea62cf328ae8cafc834
SHA256 5062f01b01d61ef26ad99d2b5b9531f61ce56b4ecb7a9d7d483bd07b190e2969
SHA512 e47c08f723f08a63defd9483cba3440e21e328857f49b2058b422fd2857d90dfc54dddb70666e062154fd32821e5bb21f50ee97412634ceebba7fb8c667e8a21

memory/6424-702-0x0000000000280000-0x0000000000738000-memory.dmp

memory/6424-719-0x0000000000280000-0x0000000000738000-memory.dmp

memory/6424-720-0x0000000000280000-0x0000000000738000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 a9cc289b7c832c56df7e74aeec54649d
SHA1 ad3b5ff9188a5cd64ebb31d43cc811a6d70e1811
SHA256 19a4bb8ae6cf0a4bb2572cd6ff041c67a8f3d9f46a0750d5ad66493997c14f7b
SHA512 4aa3dd6cab7fdb2d9448153711320375608fa442c6fbe4c388b8e27995407552a1d536b968c37fa70da7425f2258745388c52ea03c0b4f877ac674a06345ddbf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 16ee8eaf7d7df0f7fd270870f299951d
SHA1 f14f0893c4a1096537971949da49c687c6050f9d
SHA256 f626f03c477df37c77109a31bd8e22a7f276a2c6d3d3520fece5ddbf8da81e5b
SHA512 a00dd932cd279d833444a596e957801470bb64a601584be56c8b00b8e71d943eac1cbe341173a5cff43a8d8e1abb5366f4c6447f02f82a04bf98a739c4818ccc

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 6b0d05ff593e4f68cd410e5d6e400b6c
SHA1 b80af5fe9757f1ff6b7425ea63cff5cbbda0f116
SHA256 257d0452b0da4b9212ce9a3a4fdc99e5519137bc6ea23f25a2c3da554700a65a
SHA512 706ac5cea39884bcb9bd7174c8e10b745af95ad413189c94aa75b20f859b69e472b9253b06134e6e90219de12fb7e246bbde06fb2ed1a32588d3d08ca541a935

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7ef35cac72e6951501bf797410d42a63
SHA1 93eab704384ab8a3c275e4d3c584e5ecfffe1c8d
SHA256 8ecd97834c1eed7e6b655b8772692fd943f2531ff02021d1b0a14acdc6e01801
SHA512 97804cde6fe835f64fc263aaddc62fc5ebf38c6f2f9b6efe12122d26023ba4cf7fe3de35717214d38b5e89a827e5fa191440b31569e27cf413f7c641abb418a3

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/4824-862-0x0000000000280000-0x0000000000738000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4

MD5 01290afbed9954ed603763cf1c4d696b
SHA1 18d636061e81f0c6edc1459d152b927e08bce42a
SHA256 21918165be0937f79726e7652e3249c6867c9cf607451b848072e21c41ce79c9
SHA512 f35896638ae61a37fd82f2feca24a42c719672cfe86f3566a51b50ce360e24bcc874ce796ba76a691304329788159d8c6a78de37ba48178d0c4c26f5cb4af860

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 440bc102a5a6f0dfc99d7f4a014424a1
SHA1 653cfef3b5841694bb9ae7dd6a1a4d79685ed841
SHA256 36f4607b8c9ec51615e8dc3b1e165354ec70747296b684e052b2bf341eaa9b6d
SHA512 861775494bdc429270cc18ff4bd383d7e8e9f6be713da205c97af99894e544a981dc639b222fd628cc1e514ed3a432f51b76254dcfc6524ccd2f988f7866c891

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 10361aeb1915deb1b13cf32ff87c0433
SHA1 dab8a82523932e699946b9d1e48db87e546bb8e6
SHA256 caf2c3cd0d1d82a9f4d315b81b527079dec9265b5501be59d08f87a35ebc280b
SHA512 a16f9bf9034f5f63765d20688af93eca00114caef375956600bde90e1e5d69eca3c7193790f3806d48d0282fc982bd1424ce2522d83901aba36bf04b47793b12

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 851fedc8b60b2836502bc879272a39e7
SHA1 7f7ac7aa8528e6c4fd05a8dd0f068b03829badbb
SHA256 b5a8ced536b7610841695a1b4027aa38ee4d211ea0579a9e12d70dad5e3b8024
SHA512 cf32e1e3354a514ad8e914b1fe8a36cf389106fb5efb8c4e9ae2b7cbe085fd740fefcbde63dee2ee7711039947246a1165124300f6e89f6a128d0a24a7ee9763

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 35e26d9a040139c07bc178c6b0edc20f
SHA1 4c587266d2510ed708034ce8fc3da1e7092b66e6
SHA256 7bfbb0635b536341f39a2305160dccd9f12ea6454c494a818ffa6023ea4ab9dd
SHA512 d224fab1da09110012ca40fb29f64f22b758b6fb7baa12912c5bb41516c4af34c442fb6867b8eefcf2b74cdebf1fb3cf72878a75393b4ca85effd169538ae1b3

memory/4824-1204-0x0000000000280000-0x0000000000738000-memory.dmp

memory/4824-2043-0x0000000000280000-0x0000000000738000-memory.dmp

memory/4824-2805-0x0000000000280000-0x0000000000738000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 3e3da8af67d46430ab50ee43149a7107
SHA1 b5fff74a6751a77359481e8b1fa81b17a50b31e4
SHA256 79abf61e9faecc8bc0e3520bac8e37bd73954fb4c7a77b9f002847b11dcaa8d9
SHA512 64485eb82807b84ad518732c633c679844b5d7028adb34a0991ad108a4c11a9c7961b6c828ef54ec5a917025b9fc9689d731cc91b2495638fd78b497993c46ec

memory/4824-2913-0x0000000000280000-0x0000000000738000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d3d51d1a3e0ff15fb9a404d62274baa3
SHA1 8f007516b461723d6fadbca65ae769646a46f7c2
SHA256 364865584280a0700a7bdb2979626ff320df058e1da4b5c578693e3bd3f41ec2
SHA512 3018ac9dd3652cf160c2121debaa37a85d308339cf69ee2f7925c9d4ea9a0360809404efd088d26beff0092600107137944fa4e7ab28be170c1c1f21e7617d41

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4d95b23690bd549ba769d7a323dd8258
SHA1 ead66fa3f259ccec1b2fe21a19dabc05c1640b08
SHA256 73b7b3185587c971fe581cbf8a68864df5cf6e7937c1f92c4a5b1e0fb146b397
SHA512 1fa3838b2215b5f74aeb328e85c1aac8b15216b6c1f94702ae9a3b094154d2b67a949df1cd052287b7e86e642129a584ac93eb906779c0b533fa52e319b6cdba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d28d.TMP

MD5 a9a67e0ff341a19be60ac7b10d92d297
SHA1 42aaea720d96f25a2c977d45e74b8d0cfb9a19ee
SHA256 13cfe27d7bb2c35c5045207dabc780c914b37bc408d4d31d62ec360f9bb782f6
SHA512 24d87e62686d81b2412a8aaf3a5c6c4f15c8df10e1c6d5ebf9721e1f509c65b3e49b8b3984272300d4edd9e24f06819ed871464bce63725abe24fcf73b4c2c7f

memory/4824-2930-0x0000000000280000-0x0000000000738000-memory.dmp

memory/2736-2932-0x0000000000280000-0x0000000000738000-memory.dmp

memory/4824-2933-0x0000000000280000-0x0000000000738000-memory.dmp

memory/4824-2934-0x0000000000280000-0x0000000000738000-memory.dmp