Malware Analysis Report

2024-10-23 21:50

Sample ID 240911-l3sg4sthkm
Target e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3
SHA256 e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3
Tags
amadey stealc c7817d rave discovery evasion execution persistence stealer trojan credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3

Threat Level: Known bad

The file e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave discovery evasion execution persistence stealer trojan credential_access

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 10:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 10:03

Reported

2024-09-11 10:06

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\812b16d33c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\812b16d33c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\812b16d33c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\812b16d33c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\812b16d33c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\812b16d33c.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\812b16d33c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\812b16d33c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\812b16d33c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4012 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2432 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\812b16d33c.exe
PID 2432 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\812b16d33c.exe
PID 2432 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\812b16d33c.exe
PID 2432 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1460 wrote to memory of 3448 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3448 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3448 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 2776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 2776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 2776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 3584 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1460 wrote to memory of 3584 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1460 wrote to memory of 4484 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1460 wrote to memory of 4484 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3584 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3584 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3584 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3584 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3584 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3584 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3584 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3584 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3584 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3584 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3584 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4484 wrote to memory of 752 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe

"C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\1000030001\812b16d33c.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\812b16d33c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67f87667-91ad-4984-9713-d78ae18d69e4} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1992747a-d145-4bf1-8ca2-08f0f0c47b2a} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffc011446f8,0x7ffc01144708,0x7ffc01144718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc011446f8,0x7ffc01144708,0x7ffc01144718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3376 -childID 1 -isForBrowser -prefsHandle 3204 -prefMapHandle 3216 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81424bbe-7ba1-47a7-995d-542512828acd} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3600 -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc76a70d-c0cf-4c5c-80fd-7b4c0b5ae2ec} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3616 -childID 3 -isForBrowser -prefsHandle 3832 -prefMapHandle 4092 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2495ebf-1bdb-444a-aed4-be6fa9a48e7a} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4476 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4564 -prefMapHandle 4552 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b6ba667-a403-4750-b980-3514627b65e7} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,1606088957600998930,15359883203998422311,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,1606088957600998930,15359883203998422311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,1606088957600998930,15359883203998422311,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,15955108826535031488,12552280043719619447,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,15955108826535031488,12552280043719619447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1606088957600998930,15359883203998422311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1606088957600998930,15359883203998422311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1606088957600998930,15359883203998422311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1606088957600998930,15359883203998422311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 4 -isForBrowser -prefsHandle 5768 -prefMapHandle 5616 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f05d08b6-8941-47a0-9301-1586e762709c} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5932 -childID 5 -isForBrowser -prefsHandle 6012 -prefMapHandle 6008 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5666f12d-77c4-4bed-b1db-f31a87f4d3fc} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5852 -childID 6 -isForBrowser -prefsHandle 6024 -prefMapHandle 6124 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc9ac3e6-7875-408a-b037-315641564e5f} 4484 "\\.\pipe\gecko-crash-server-pipe.4484" tab

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,1606088957600998930,15359883203998422311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,1606088957600998930,15359883203998422311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1606088957600998930,15359883203998422311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1606088957600998930,15359883203998422311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1606088957600998930,15359883203998422311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1606088957600998930,15359883203998422311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.179.238:443 youtube-ui.l.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 172.217.169.78:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 172.217.169.78:443 consent.youtube.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 158.124.235.44.in-addr.arpa udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.179.238:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
GB 172.217.169.78:443 consent.youtube.com tcp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
N/A 127.0.0.1:49478 tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 238.212.58.216.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com udp
N/A 127.0.0.1:49485 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp

Files

memory/4012-0-0x0000000000AD0000-0x0000000000F89000-memory.dmp

memory/4012-1-0x00000000777D4000-0x00000000777D6000-memory.dmp

memory/4012-2-0x0000000000AD1000-0x0000000000AFF000-memory.dmp

memory/4012-3-0x0000000000AD0000-0x0000000000F89000-memory.dmp

memory/4012-4-0x0000000000AD0000-0x0000000000F89000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 d4a8074d0e6ec329e01d59e2c977bcc3
SHA1 2e680f12aed4c51ed2277082c3f8af9368f7f3cd
SHA256 e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3
SHA512 f670ea342da46e72001b55a7ec396638284baafeb6f7ee4c261d1323fbcf9cd9718eeeb2c917ac28d5a76939a7321895a277104ce654e6f037d477e72eb74e7f

memory/2432-16-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/4012-18-0x0000000000AD0000-0x0000000000F89000-memory.dmp

memory/2432-20-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-19-0x0000000000211000-0x000000000023F000-memory.dmp

memory/2432-21-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-22-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-24-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/4288-25-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/4288-26-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/4288-27-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/4288-29-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/4288-30-0x0000000000211000-0x000000000023F000-memory.dmp

memory/2432-31-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-32-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-33-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-34-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-35-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-36-0x0000000000210000-0x00000000006C9000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\3c9a2f2f34.exe

MD5 46ac298f71f21e18d32578a99b5aed1e
SHA1 cb9fcb254358ccdb7e902cd5ddf98bcc056d6607
SHA256 a5133e4c3f06275acd9a97e4341f45cd415739d85f338efc54a77fd69caf12d1
SHA512 d072ab3aa7aa210e1a22e30aa158d3e497ecb8122345ea69e2aa8c7d0243ca61499602612b2c53cc73808209fc8bc2524d5aac6e08f559ca251e6e6adb2e6de5

memory/2432-51-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-52-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/4488-54-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/4488-55-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-56-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-57-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-58-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-59-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/2432-60-0x0000000000210000-0x00000000006C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000030001\812b16d33c.exe

MD5 250051046eae3713ed1af118169d9227
SHA1 66ecbbeffdbb6bae912fc9f21b52faeac7b73d49
SHA256 c1d2816e557482077a88b8e23581cd82a92dfca70fd1e7ceaec4ba3adbd7d136
SHA512 a9a49aaf7e56466ec9cbdf86564ba5ad875d8233f12b26c718dc163dfb7d9e139891e5a422eca933e41c3bc19d5dc62d47606e23019fb0cce8f281a981a82d1e

memory/5104-77-0x0000000000380000-0x00000000009FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/5104-86-0x0000000000380000-0x00000000009FF000-memory.dmp

memory/1460-87-0x00000000047E0000-0x0000000004816000-memory.dmp

memory/1460-88-0x0000000004F40000-0x0000000005568000-memory.dmp

memory/1460-89-0x0000000004F00000-0x0000000004F22000-memory.dmp

memory/1460-90-0x00000000056A0000-0x0000000005706000-memory.dmp

memory/1460-91-0x0000000005710000-0x0000000005776000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_20vl3yap.euj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1460-101-0x0000000005980000-0x0000000005CD4000-memory.dmp

memory/1460-102-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

memory/1460-103-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

memory/1460-105-0x0000000007080000-0x0000000007116000-memory.dmp

memory/1460-106-0x00000000062C0000-0x00000000062DA000-memory.dmp

memory/1460-107-0x0000000006370000-0x0000000006392000-memory.dmp

memory/1460-108-0x00000000076D0000-0x0000000007C74000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 719923124ee00fb57378e0ebcbe894f7
SHA1 cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256 aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512 a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\db70d01d-be72-483c-8a1f-6c060a498fc9

MD5 0f2d7f76b9f276e6baa5d20545f0aa2a
SHA1 eee083bfd079bf65269191a190c5cd61b5e75cab
SHA256 ec3632d5c65c76e2a5f966aa2dfaa76c41e54485a7123c311c108a2d9226f5d4
SHA512 6b5fc2134239afc752f550accd138b000476f269a4d03cc5c4ba2e8b5ead3a80976065cfee9cef2de9cbc1c41e6b4e050338a50b3df4cd533da9c5d38fc95c9e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\cd6f9fe4-30be-4eef-be37-526a23ce0cc4

MD5 a9d3f753f2c5f48eeae62f78a958568c
SHA1 a1ee489e60918166dc8816468cfb3bc1ae204b09
SHA256 d804129938dcb61bff2e5ad0ceeaecd367da10265b792646051e0faaeb4abee3
SHA512 49c12ae87e6020b5edfe197a6dc7964fa60d1851c27b848f006396216794e1284a987a63280dc24ab038a6ce051b9ef321a0dd0c72c792a9513f0dff712e18b0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\b190fb98-3799-468e-af68-e2953e4cf331

MD5 0abe4791e78184340264afb1a5d1274d
SHA1 f0e1d023698c9c255467e078f2202a2dcb61d93a
SHA256 02d6ec4313c81fad5747558ca318f70c90d7bd61bb464d3bc32d889235f2efd0
SHA512 9318a416120512050a2aaf7251443380fb15923e5ea9f736859ff0a4676d2c61c4f6a16112a7404a883aed9a2f809a189977c7a917d2617a8fe30659f9ac40c7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 548eb4b861794ec88e110532ef1ee725
SHA1 614b753821fd8a7fa67445a68a76ec19cda39f9a
SHA256 0cd247cf215b9deb8cfb6f3dcd36203eecbdb1ea4a7dd020f32ac19f62e3f9af
SHA512 d51bdc7a0305095cfc468cd8b2e6453a8327e0cf3b7f43b9a41eedc5523faa3396925fc595ef94aaf14d7d81d32263556cd029f9a306f87f43ce7a0c278b0be1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 e8d4a2273a93c954e154695997236884
SHA1 2a975b8d6549c076ab3f75bd0c038dc4ee3d17c1
SHA256 87866f95510e93add43e250673245b4a4400d352f74a89706ec48bb9c08c28ed
SHA512 f768f8f1e5bcebb572739f5ca1da50299f58d3857e1e144f00fa88b7151fabcb61c4128bc9b1ab7925dcd9e6c262486206e86b506bbf3d56c3392ffc9f65fa09

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d7114a6cd851f9bf56cf771c37d664a2
SHA1 769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256 d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA512 33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a189f92d14d5ddb0fd5ca892254188b4
SHA1 4bfaa34f1bf8141b7f135fe837fb38fdd60050f3
SHA256 268e69f8b71019289f38aa11e55094d42d890f84a2ba1c5ae6c17e912a1fa04b
SHA512 a3b1fb9df9d4eb7e612c0c2f523479e0b7eaa3c1eedd82be85172ad59bede077d23cac2c7d90026df0a09d254bb953fa50461c18932200b5df0c7c36629b123b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 37554f68ca991637ab13aaa5754334e5
SHA1 bc5f82985b3e65269891a479ae29ca949bc395c5
SHA256 3c8f56b2d3cd9d4aa616c7000b760c56dbf14014f4b5fa7957538eeb80fbe357
SHA512 47a604cdb6a07ad64c4f9006d57bc1955749589ad081c4aa54e401de4ea96c6b759e2546b637c5a15c7d29b363f5a735539153112de1d6b257125b89766d2c98

\??\pipe\LOCAL\crashpad_1272_HKQTWBHFAYHCHCRL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 09551f7fb87a8785ae1f2231ca2eb7f3
SHA1 187a6ab3c3e78ef9ef34fd4c4bf62be4acf7fbdb
SHA256 f30c0aff10099fd37f5fdfe88aad9188e96f981b0a58d83d356c1c2e4d814fe2
SHA512 6f096011b37c425332a26539c615e71295c9048d045cfae2ea4ba92cdf5d1415924dae7191e02f3409c32fdb216b6150c1cbecc544f60e9e443ab70919b2b74e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 dbe565e9750fd8f3f3f156b5b507bd9f
SHA1 97c44140f5b503d053cf6bc2bf03dee09497a386
SHA256 d6abc212ccede78af0c778c62d8271c4bed6136e4db7867fcf94025bd6403b96
SHA512 6adc3cb220fde2b64405c386279746b243ea8fddd58d0438ba9519bf23d66ce81a3fb4d4f61464fcfe11228353561c971963f130479afd81567942ca3d5d0257

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

MD5 ca751cd0b23bfa3d817df639461edc6f
SHA1 368ff4d369f1dc86db3dadadd669d92f4a4eca93
SHA256 f5160ab17c9aaf273364fa4aba6c973a87b70deec0fbd48b189b24f12769a6b6
SHA512 ac0ea3cdd0f8b39f5b014b70617ae5d075c341d36097752acf94723455507e1d40742ec202605a8da742684019afb2ccd0f2483e7f91a6e73b0bc824be955ed7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 aa035ae442b5d34b403e2c408d84e873
SHA1 8928027f58c647ec0007e7f5f6b1855381755238
SHA256 67c56f7a023e8968c3487599a324b01b630bdcf38ecf156a8914e29dd279a8ae
SHA512 85103cc51a1dd6c551da58be5f9f1d0605ec955fdac145c3b250c399ef0b271d8aa5bcbadf0e410470182a27350b4997db5c1954b9146a4e13dcefdef1d44ad5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a811ecbdbe21ab3cb62df9e8aa181811
SHA1 baa8f52e27774edf94083d4039bf62e5af3fba17
SHA256 14a7503a044eb09c05d81c0614d7080af3e71f5d85aacb6ccb0e0297a022d96f
SHA512 7b5fc9e61fde0ecfc2e95e681dea01311d62ce317658b19174e345a33b7848cb15c561235c7220a34c1a59af086e007c7ad5c80ccd132734a7194e6326c9ca5f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 a451fa5d5c70a6a206be97440d933e8a
SHA1 5ba7237e567593a5c24e9673a5ded7cf306fdaa0
SHA256 2cbb142490cee1647fcf8ee01eeec22684fa84e0ac14c893cb4cb69a88796c74
SHA512 c3bab64be754e19a1cedc03ad48e9ff29d359e094cb1903c64fb6fd9913029f72d39ccf6ef4222b7efc4380ba08438fd0e6d080e00d7bfd759fa607ea13fc29f

memory/2432-508-0x0000000000210000-0x00000000006C9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 169bb0228e381954f9c8e5ea605b7987
SHA1 2a15d4641e68dcda6842da533ac4c4daff95fc67
SHA256 d548fac1ae3ee49d935aeeac906d2f99bc4734051080d87150c323d06a83b225
SHA512 dda5e91dcb2cd8204cccc52bfa2b408e5bcde7ec0c737d7759b4e03c5b3bcae7e38f14cb4f06bc0c7404ae24444522e4eb3beba5e432121bc808269fa556078c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/5960-620-0x0000000000210000-0x00000000006C9000-memory.dmp

memory/5960-624-0x0000000000210000-0x00000000006C9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 54bbe34d9cc2b201eccc0316bfcec624
SHA1 45071b58b3d3e27727ad4760f9b702ef1465195d
SHA256 f7ac620f526ac988d144d268f100322d0116d4537bd248beb74ed971ba34eec2
SHA512 166ed79c28a2c4ed0412029effac7c3d9bbb59a5dde907ff2ba97f4920fbd4acf184f7cfcc2113eef1bd0b5daa374be009775685ad4381cc2f21dbcd1593ad04

memory/2432-652-0x0000000000210000-0x00000000006C9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2fd555e302660820cb07c37cdd7ff537
SHA1 2110ca5227ddd1a830ca08d493851365ef92c4cc
SHA256 425d92191adf094ecec8941b2cfacfd9179e0f293dd0fe5876e89082199dc689
SHA512 aaba079af40aa9c9f2665de42a06abefff40644f319963c8de934403bfaa93c9d9e70bf7a88ac9bed1c6dae638a90e07a325ece78964af0cca0e9baa49753605

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

MD5 c6006eb09152ce6378639f5341c9d6aa
SHA1 e22c79b19971928d056279a9419c56ca9c2563ee
SHA256 3b96963433a28d9098db185b30a8a3f9f89bffd7120dc0bed0eaeb3c4bce13e3
SHA512 0444eee35755d6dc981e063ef3dd8cac0e488ea78928f90028d3f5ea9d5669c915daf61fef110fb4722b41ab174ab377cae28e3be864ff6431ee161ca1e8cca3

memory/2432-673-0x0000000000210000-0x00000000006C9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

MD5 5148f2c0167e5aa28268a4ff235c3d69
SHA1 610756649ed2275c3338777a7f9f6b8e8402655c
SHA256 21c5c4cb212b2dbe435df4341a3c150f5f9db8f649a8adf727653a56ab0d4e8d
SHA512 38e54c01782dddab170fecbe4258efc9099155cc55f514304d10b3211b1b6d167c95146c5c34328c9588e59ef0b837a8fb6cecba5e69a4264a499ec2bade0b09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 a34152b1c545c7edf4c37c25e8bfe042
SHA1 2e6fbfdd572003baa726c1d2c88758ac06d64911
SHA256 0eaf407393bac6c66a11b35f6ad5a47bab6aba22bbd50baf2b4291001f63a25e
SHA512 40473ef1a2db331dd5e4be25551483cc8c76756fbe8f657d756c3d9bc0802a75d55efcba735e0c478bcfe245cf5750c96bf7945420c369560c1a73072cea499a

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

MD5 06775b104687a666858186be6aafc241
SHA1 ec55885334e0f53e57fbce82b30c88e2f3139992
SHA256 98f5e189546b4b8f86638a07368b4032daced9cbcedabde519a800c3b1804594
SHA512 d470438d45bfe4a5c7f2e1b33a1f538989ce61b944be3fd546b00549ba7efa4337a1080bb22fa20fc92f04a382b421bff357723bcaa7edbf7cc47e879981a6e7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

MD5 71ae2dead150c6d1278d5ddaa69db075
SHA1 3acbfa02fd25e16c28d5e328e521a66f88a1af51
SHA256 079cec73affbf0dd59fa41e6b2b23b127ee61dc581a8defa58223775877ee350
SHA512 09966eea39c878adc526ce81f6f997a713a1ec00046d97e65dbaa7ee4a396a1158856ee767a968e6c0a2003d87f74872e02b1a87ad2c6c4d4a9a989667f68412

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 94abcbdbb4b5629f8d7ac4ef526671ad
SHA1 3b414e450ee18a039535e94b92f48878f5287643
SHA256 dcd4f35469596c1b0ee26b3d2907a9101c7d284c2cff73ca75c8993c1bba0c4a
SHA512 5f8140131d2d0562f27b2ee2a7470bea95a8c31533f04ae49c3d2334c18137929397e931c98657271b7ab8eef43d7b428d14cf5894105894bfb19b38d30b329b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d19b0d6c2d311926e861bc2984c7ff07
SHA1 6caaacfa6fd34b83a8ffbaa9dfc4258041623cba
SHA256 b8b93216e59c2a17010c4aef0d682e897c133430055021f54b29ba00a8692280
SHA512 e7534b3ce545915d8b1d2432442f0b7c68a83c2af6102b2956d712a45c6c7defea1eeb0d1d86619471f03709a81310ddf97caa3d1fe3a11cbfdd5a7a222f9618

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 10:03

Reported

2024-09-11 10:06

Platform

win11-20240802-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\1513dc16ef.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\1513dc16ef.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 652 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 652 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 652 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3588 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe
PID 3588 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe
PID 3588 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe
PID 3588 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe
PID 3588 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe
PID 3588 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe
PID 3588 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3588 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3588 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1992 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 1992 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 1992 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 3716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3408 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 3408 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3408 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3408 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3408 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3408 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3408 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3408 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3408 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3408 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3408 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3408 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3408 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3716 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3716 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3716 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3716 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3716 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3716 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3716 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3716 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3716 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3716 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3716 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4316 wrote to memory of 1604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe

"C:\Users\Admin\AppData\Local\Temp\e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe

"C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\1513dc16ef.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1828 -prefMapHandle 1836 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3106ae8b-fe53-4530-aceb-01626af1705b} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08e8c00b-46fc-4fee-a518-62dfa45a9d04} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3076 -childID 1 -isForBrowser -prefsHandle 2948 -prefMapHandle 3060 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef84fb55-9420-489d-a3d0-87a151895ef4} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3532 -childID 2 -isForBrowser -prefsHandle 3540 -prefMapHandle 3536 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cca860ed-3b49-4ade-bb6d-1476d7cc6801} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4296 -childID 3 -isForBrowser -prefsHandle 4288 -prefMapHandle 4284 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9e022fd-640f-4ef5-90f7-d55a6421c1a5} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4956 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4984 -prefMapHandle 4676 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd1d9d93-b9c3-4551-b4f2-f5126f4e82b0} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5836 -prefMapHandle 5096 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a21a4150-03db-4f70-a960-c661c6ff88d7} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5972 -childID 5 -isForBrowser -prefsHandle 6052 -prefMapHandle 6048 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac21f1cf-ceeb-4430-846e-bbcd20b12be7} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6156 -childID 6 -isForBrowser -prefsHandle 6164 -prefMapHandle 6168 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d25424c-3a3f-4244-8fcd-3ac02e45d025} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 172.217.169.46:443 youtube-ui.l.google.com tcp
GB 172.217.169.46:443 youtube-ui.l.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 172.217.169.46:443 youtube-ui.l.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
GB 172.217.169.78:443 consent.youtube.com tcp
GB 172.217.169.78:443 consent.youtube.com udp
GB 142.250.178.4:443 www.google.com tcp
RU 185.215.113.103:80 185.215.113.103 tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com tcp
N/A 127.0.0.1:49870 tcp
N/A 127.0.0.1:49878 tcp
GB 216.58.212.238:443 play.google.com udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com udp
GB 216.58.212.238:443 play.google.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp

Files

memory/652-0-0x0000000000F50000-0x0000000001409000-memory.dmp

memory/652-1-0x0000000077606000-0x0000000077608000-memory.dmp

memory/652-2-0x0000000000F51000-0x0000000000F7F000-memory.dmp

memory/652-3-0x0000000000F50000-0x0000000001409000-memory.dmp

memory/652-4-0x0000000000F50000-0x0000000001409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 d4a8074d0e6ec329e01d59e2c977bcc3
SHA1 2e680f12aed4c51ed2277082c3f8af9368f7f3cd
SHA256 e9ea805e9928c1b071e362151ab49c55dd37924fe51c62c2445bf4e91d6b17e3
SHA512 f670ea342da46e72001b55a7ec396638284baafeb6f7ee4c261d1323fbcf9cd9718eeeb2c917ac28d5a76939a7321895a277104ce654e6f037d477e72eb74e7f

memory/3588-16-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/652-18-0x0000000000F50000-0x0000000001409000-memory.dmp

memory/396-20-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3588-21-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3588-22-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/396-23-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/396-24-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/396-27-0x0000000000C11000-0x0000000000C3F000-memory.dmp

memory/396-26-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3588-28-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3588-29-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3588-30-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3588-31-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3588-32-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3588-33-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3588-34-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3588-35-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/4120-37-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/4120-38-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3588-39-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3588-40-0x0000000000C10000-0x00000000010C9000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\18f2852607.exe

MD5 250051046eae3713ed1af118169d9227
SHA1 66ecbbeffdbb6bae912fc9f21b52faeac7b73d49
SHA256 c1d2816e557482077a88b8e23581cd82a92dfca70fd1e7ceaec4ba3adbd7d136
SHA512 a9a49aaf7e56466ec9cbdf86564ba5ad875d8233f12b26c718dc163dfb7d9e139891e5a422eca933e41c3bc19d5dc62d47606e23019fb0cce8f281a981a82d1e

memory/4744-56-0x0000000000D80000-0x00000000013FF000-memory.dmp

memory/3588-57-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/4744-58-0x0000000000D80000-0x00000000013FF000-memory.dmp

memory/3364-74-0x0000000000230000-0x00000000008AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/4920-82-0x0000000004F00000-0x0000000004F36000-memory.dmp

memory/4920-83-0x00000000055B0000-0x0000000005BDA000-memory.dmp

memory/4920-84-0x0000000005530000-0x0000000005552000-memory.dmp

memory/4920-85-0x0000000005DD0000-0x0000000005E36000-memory.dmp

memory/4920-86-0x0000000005E40000-0x0000000005EA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4j0jxtam.gbr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4920-95-0x0000000005EB0000-0x0000000006207000-memory.dmp

memory/4920-96-0x00000000063C0000-0x00000000063DE000-memory.dmp

memory/4920-97-0x00000000063F0000-0x000000000643C000-memory.dmp

memory/4920-99-0x0000000007610000-0x00000000076A6000-memory.dmp

memory/4920-100-0x0000000006920000-0x000000000693A000-memory.dmp

memory/4920-101-0x0000000006980000-0x00000000069A2000-memory.dmp

memory/4920-102-0x0000000007C70000-0x0000000008216000-memory.dmp

memory/3588-103-0x0000000000C10000-0x00000000010C9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

MD5 efe6be126ca36f4a6a3559c2d34b7028
SHA1 a4770321504f5366888166e92853916893f16fc1
SHA256 f7934123470d3566ab280b15d90ea9d17565807c8aebb270701bff32ecee8351
SHA512 5d37a676fa9d921c06a71efb1738a5e83aa74c122166b874dfde6549e84a557c8e19be516807dac279e20e04776d96daf4fc44252f17b08780521d9ae3c3a11b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\032ecb65-6105-4e17-ae69-50608ec76f78

MD5 178b1660cc11b9a5cae2919187c9c48f
SHA1 7f9ad01888c2ec9428130370f85a7f1cdaee06ed
SHA256 9613004b3eade4751ac2001d85f1956062671411e3b64c05138a5ba9264f0d6f
SHA512 128a5fe55eb8c04b0b6ce2fbcccc2c098a2b9caded5ad647a056ee18d3044f62c964ee254b465a018da38fda44a1825d9ffa95316dd9647972dff46401ade08e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

MD5 40c1b1cabffe8172b76634d9ab9b774c
SHA1 1d59e7ad454814e36c3ffb6641179b9256eaad6c
SHA256 454a04a6856de1069cc338d8af9fd750c3f39704a4141770fba7e04ddcb93fa1
SHA512 facd1bb5025974ce365e2acab78b8707f171fefffc39ce81bb45d3bc3cb7ee4b809ef70c8e0d502cfe9b745efd9f26f41f13836632a70d8fb82942c875dd7cca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\26aded61-1876-4091-9756-d85e3ecae5c6

MD5 4d78117cd66d043e059b0cf267fb36a3
SHA1 9ab1c9a61708537bb25d61b3a7fdddd429cb4abd
SHA256 a69e114308e09733c03c22079093ce6607ede28caf675e03dac72b9e4883d496
SHA512 c51b06124ca38c344018170fe96edc85f2dc76ffade8b92171905133dbc1660e9180d86453a60fcd59b391ab23df2cc289027b97ce1378b9f81031663ca9ce6a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\e73451d7-9fb1-4326-9260-fcab15a96fa6

MD5 5090a22b12e50af46d6fdc975a11c085
SHA1 321a30dbc22349894379598d90258dc144308d50
SHA256 10ff5cc032028a83e0a8cbf26dcc5442122093c54e096f54b2410e8af6cf4ee6
SHA512 7f9fef2d0c5fde94e0a4dabf6b130cf9d40091ed55c8f7b05e577c2dfb179de35fef915dfdc5bbe76ec65be366e4b4b6cac6be4946049c3f033556f2fdee9631

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

MD5 1b5127d1bb6924ca22750b5924547a59
SHA1 a589956ccdebe26c0631825b30ea33abaffdc578
SHA256 be99840bdf1555d77cd753c22d551be4936d34bac72c8f548c43737e2d1ed9f5
SHA512 3e747a372f6dc5c8f8d4a6ffee8ec2a2a6d0b79591ee249445440729a5022446343eaa8a27083fb2dd080506eaf50f8413552dbf563444fe9bc1761782ed7f34

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

MD5 70820ccd1f8e453832caab944451b261
SHA1 0eecfc4ce7fb3744a1ea65f461133165549628bd
SHA256 68076ffe9b29838b1d4c94de72c3248ad7e82348c539015fcd73919b9dc8f853
SHA512 a20e35282d28d45d4e3803e72662f56a13426f0d5a7f4326b1547a6588a6718ac22e2161bc3b80f0fce1e58bf1688a4e63f7394d4a06c34c26bae98a0816a8f4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\activity-stream.discovery_stream.json

MD5 b14e75716b0ce5dc2de6713f2ac26f7d
SHA1 bc4f8b2611fb5a23383aad3ae17acae2024e8f47
SHA256 b6c7d7ffdb71cc4dd2d65515a3878216f8569a68720ee95f89a4f75d4225a1f8
SHA512 ff6d3e9f21aca22c1bcfdca20dfbd030c993fb55f4bf134c96f45e607069610d708dc536201f4619dc139251edb95046c0fd915d20c81f04619f652f82424eb1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

MD5 9d7a58cf35eb8bd0c1b6d8e04894805d
SHA1 d643f87c0b485ce24e95746770a6919f54be1d38
SHA256 b33439be40bc53ff49474030e879df654a48da6e6bec447bba3fb27a0d0ed754
SHA512 12965837694c4113295c84d70a7832bef62d1c01c58195f22aa8c92c2372c6ea2f029a040c1929abc6e286eb9daf69bd0d9c8d3a7de86c2ab5395d4f3c3be38d

memory/3364-477-0x0000000000230000-0x00000000008AF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs.js

MD5 fd8971b62ef982111dc9b82c3b861bd1
SHA1 1ccca3fe8dac40b2ac4e8aca0bd3fcef752b56fe
SHA256 734e6361f1d97349c946f7ba0b417ca685ae7825cca5d0cb9d4c36a5bb1aa158
SHA512 b4591938dff49922b91df0d0670eb9ced0f6f6e3ad9bc7da6700ab75084c346373345ee9e42865bc9105e9f3feec89684a451b9c4a1aede076cc4bc3880bfe82

memory/3588-521-0x0000000000C10000-0x00000000010C9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

MD5 84f2b2e93646cd21111b6286712c1fd5
SHA1 438c376170023620b3426fbc8371adf97815a43f
SHA256 eac61b437355763849bcca97f1290ba3b18c6147214300608b05a1a9ef7d0bd7
SHA512 6f080b067927df1258ac93c57ce0ac12d73f6d7f7d385961a646da0f58ad521c97359e174fdd47b2712042adbfab685be4bd6b4fca19f0a3938298cd8ac57d4d

memory/3588-540-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3308-542-0x0000000000C10000-0x00000000010C9000-memory.dmp

memory/3308-543-0x0000000000C10000-0x00000000010C9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

MD5 da5958fd1cf87aeef3a6ae813b2aae1c
SHA1 3230fee9493cd9ff4a7bcefda69d53d656420254
SHA256 120dd23ec5892e7caa17ddd1148d702fdca6f4357700baeb1aff3014d2ba1401
SHA512 785c1ee60b1ead6708e312323f981f64c1bc1eefe28939d8097355795dd3dee5d9190d35cbf06fb0b74d9b16f0f3ed2845f2dcf25258b6a1b5c1c2a963a5e522

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs.js

MD5 0bac391e05bf047a49288056251c6b2c
SHA1 79d2c355433f80d809cad38c24b77f18c62f0c78
SHA256 511067d8d7a855de91e23337e28a4bc606aac436c31eb5adff400d3f04811e3b
SHA512 538bfb7b56066a7cec9ddfa6c0d126ab861825e4332733d135d21af1eeb62353bab82dbab3d56a064fded60ef7fa5b3fe1735a665cb57f81bbe40055b91d28d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

MD5 f3b9e67d8ba9cd321f316faddf4322de
SHA1 6759c202f4da5529c649170276dde88193488f9a
SHA256 4d8603b6e289a92485eada8d00d9a758dc1c9148a9e8557f691b9e8fc8c7805e
SHA512 92ee838a0f284c8a096e3124067e65297dda3400783809c187492512f2dc924ddcfec8ebb04b7ebd0bc246f40476051d84e3e9b94ea6310fe776ea402ca39a5f

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 26b417013658f972c83ce8b82a16a902
SHA1 5d243fa0c7cd09aea0a050c3729223a3aed5b319
SHA256 3e19a94ea184107800444b1fdc5580cdf498173ee513c53e4ab27ad5e47f08a3
SHA512 c41fa29c256e3fd8986b39d638898782bef0775eb0fdef5a05cb6405a5f18d78a1d2141f14bbd502f5a70178f78f13a6be05444742a3a0c279b88ba74dceb4f6

memory/3588-661-0x0000000000C10000-0x00000000010C9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

MD5 fe0812bb3c7c96ed3fc67561b0c7030f
SHA1 5c23d7ba1ccf930746a1e43f9018cd0c9731dbf2
SHA256 cb828e1312c9a221c87d95d31eadc2be439bb36ed695efa72309ff8c602c2d4e
SHA512 816a55df95f4f78887043e31d5123b1806981cd555605c84f2eeced683f2f5beca256a7d52b575c134a7d21d9f2d8ec987e6e0219f4f1f0e6fbfd49175211810

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 ac7abe26b446842d30b6e37856a08f50
SHA1 5e53ef274ec31b81bf13cf546580d040f96d19ad
SHA256 aaa8309ed40e915bc27df3e06b515fa868899954d219bac7e41bf16f1f8ebc27
SHA512 459ea72867745c9bc4dcbff7b5657314b2fc6a56c304885c5f53449c32858feb3cab2d7ed35aead2ccd70fbf67748f4d50525b96a0c1f58a007f58d60cf658fe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

MD5 b0dd15b8d7960fa1999ac8f6accfd1d8
SHA1 f346881b9f2f09896aee7bcb29a6adeebfd28d76
SHA256 0d0eb2e3738ca079dcc56504f2ceffa3eb9bb2a335352326d6a72e8ea4a72b4c
SHA512 0ff8059e180b6918aa930714b73a760a71b38e814a92964d2645d2e40027b2d7de100c66b5f1a586919cbaa105860c1fd16ce027ff7cabaa40dd6ceef72c1db5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

MD5 39faf7af58c8bf1460c45aa32815c995
SHA1 e308f00e2dd232e31dbeeea46022f30e769f92f5
SHA256 b44e38a377ab2d3935bdc55de39bd716a355e4b4936655387d1fe5640bdcc8c8
SHA512 ff020811cb4e72b02fbc7bd7896447e665aea1cd96b4c215770ffff9600789fdf45deb61509b4186e65cb9d5ed0d63a8b75ea79aca8f0c14ad734f0f69a434c5

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3588-950-0x0000000000C10000-0x00000000010C9000-memory.dmp