Malware Analysis Report

2024-10-23 21:51

Sample ID 240911-lpna8svarf
Target e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1
SHA256 e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1
Tags
amadey stealc c7817d rave discovery evasion execution persistence stealer trojan credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1

Threat Level: Known bad

The file e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave discovery evasion execution persistence stealer trojan credential_access

Stealc

Amadey

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Unsigned PE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 09:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 09:42

Reported

2024-09-11 09:45

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\47ee257e79.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\47ee257e79.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1876 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1876 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4148 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe
PID 4148 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe
PID 4148 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe
PID 4148 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe
PID 4148 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe
PID 4148 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe
PID 4148 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4148 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 4008 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 4008 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 4008 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 3972 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2680 wrote to memory of 3972 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3972 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3972 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3972 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3972 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3972 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3972 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3972 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3972 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3972 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3972 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3972 wrote to memory of 1444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2680 wrote to memory of 1100 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2680 wrote to memory of 1100 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1100 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1100 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1100 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1100 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1100 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1100 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1100 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1100 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1100 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1100 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1100 wrote to memory of 3204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1444 wrote to memory of 3604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe

"C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe

"C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {268bdb22-d2ea-4de4-886a-358575ae7b63} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ddc09d0-2a35-4f00-be80-4b7c31d604e4} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff842ec46f8,0x7ff842ec4708,0x7ff842ec4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff842ec46f8,0x7ff842ec4708,0x7ff842ec4718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1372 -childID 1 -isForBrowser -prefsHandle 3224 -prefMapHandle 3356 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1164 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4482c1aa-a94d-4e3c-88eb-67e964d5fa38} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3572 -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3504 -prefsLen 22631 -prefMapSize 244628 -jsInitHandle 1164 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {601919ab-d2b3-4739-b6c7-c3db5f8949e9} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -childID 3 -isForBrowser -prefsHandle 4364 -prefMapHandle 3688 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1164 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40070048-2266-4dde-8e43-c50588e654d1} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5136 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 4988 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {472bdd51-1e0d-47f7-a33b-20efc2e07a6e} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,17014100322783448644,11081625511367470711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,17014100322783448644,11081625511367470711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5592 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1164 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0d21092-2e95-4e33-89f1-80e0a898abaf} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5824 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1164 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12490236-3b70-4025-bf09-97caf48dcf26} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6016 -childID 6 -isForBrowser -prefsHandle 5840 -prefMapHandle 5940 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1164 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d95083c3-5313-4db6-9a9d-00306069effb} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" tab

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4952911978487673038,15539292582869840682,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 216.58.213.14:443 www.youtube.com tcp
GB 216.58.213.14:443 www.youtube.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 216.58.213.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 143.180.12.52.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
GB 142.250.179.238:443 www.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 238.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
RU 185.215.113.103:80 185.215.113.103 tcp
N/A 127.0.0.1:55051 tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 216.58.212.238:443 play.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.youtube.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:55061 tcp
GB 142.250.187.238:443 www3.l.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 play.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
GB 216.58.212.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com udp
GB 216.58.212.238:443 play.google.com udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/1876-0-0x0000000000EC0000-0x0000000001388000-memory.dmp

memory/1876-1-0x00000000774B4000-0x00000000774B6000-memory.dmp

memory/1876-2-0x0000000000EC1000-0x0000000000EEF000-memory.dmp

memory/1876-3-0x0000000000EC0000-0x0000000001388000-memory.dmp

memory/1876-4-0x0000000000EC0000-0x0000000001388000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 4f810a4d5286bf5189823ad3cfacd8a2
SHA1 c5c060728031b48834ff5a2739cb173a1879320d
SHA256 e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1
SHA512 2557369861653779d600bba276e0507e3652da0578f0f40f6a47d2f28b9138cfc39929ec6b20cbe262f36b1a8a4fe1362592a02a936dd07a1eb9a569b1ed6937

memory/1876-17-0x0000000000EC0000-0x0000000001388000-memory.dmp

memory/4148-18-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/4148-19-0x0000000000771000-0x000000000079F000-memory.dmp

memory/4148-20-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/4148-21-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/4148-22-0x0000000000770000-0x0000000000C38000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe

MD5 2436f5bc4146385648a72a27897ab578
SHA1 daf603434b49d4bf2866a3f53069845f05130fcb
SHA256 aee2dcc810b97f1bd7809146f7f33887e806561329c0b6288ecb1d315e4f6740
SHA512 e32cede58485391ee8621b939f28e7234095391ad67f944929b8475528f8a08f801d3997138c0935f40d17ec3e703d0d499e7427bcc570102636e1ea8cff2a92

memory/4600-38-0x0000000000CE0000-0x0000000001360000-memory.dmp

memory/3524-54-0x0000000000B20000-0x00000000011A0000-memory.dmp

memory/4600-56-0x0000000000CE1000-0x0000000000CF5000-memory.dmp

memory/4600-55-0x0000000005490000-0x0000000005491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/4600-65-0x0000000000CE0000-0x0000000001360000-memory.dmp

memory/2680-66-0x0000000001050000-0x0000000001086000-memory.dmp

memory/2680-67-0x0000000005720000-0x0000000005D48000-memory.dmp

memory/4148-68-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/2680-69-0x0000000005380000-0x00000000053A2000-memory.dmp

memory/2680-70-0x00000000054A0000-0x0000000005506000-memory.dmp

memory/2680-71-0x00000000055C0000-0x0000000005626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jkwfdeek.mj2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2680-81-0x0000000005D50000-0x00000000060A4000-memory.dmp

memory/2680-82-0x0000000006270000-0x000000000628E000-memory.dmp

memory/2680-83-0x00000000062B0000-0x00000000062FC000-memory.dmp

memory/2680-85-0x0000000007560000-0x00000000075F6000-memory.dmp

memory/2680-86-0x00000000067A0000-0x00000000067BA000-memory.dmp

memory/2680-87-0x0000000006850000-0x0000000006872000-memory.dmp

memory/2680-88-0x0000000007BB0000-0x0000000008154000-memory.dmp

memory/4148-89-0x0000000000770000-0x0000000000C38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 27304926d60324abe74d7a4b571c35ea
SHA1 78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA256 7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512 f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 b017910a376ee8d6f8e7fc0f1ee924ba
SHA1 447a0ce2715f9aef63890849608594bd493a84b7
SHA256 32c90b33699930078374cf372f99fc091c96a3cc56c00af94f9d22566e4cca3f
SHA512 36cdc935d0d344db5720dce104fb4978e2e0110d08b3037ad18b34b9c03c9a2b1675f605dae500e0e1981ee1b0cb4ea02c9ccaaf13e3247eca6a60c38abb9636

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\6fda5813-5272-46ab-9887-16f08b69867f

MD5 b186fc758a27f5932a187ff456eb4e45
SHA1 12866fe62a002d57685f4c2e51455e92e256c39f
SHA256 8bbe12942a391bd6d66434c1d570e4b40e7e754bdc5db712843026bab2b4bd72
SHA512 05f35f40d66a318c31f3a1b5f969948b41221069976c57fd2cd813503a18f741b5509a13054d3bb3d45490e2749c4c0e4dc644a78026555f1498d0ea31cc6aa1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\375d8b6d-264b-4379-b108-8a5c53875ac2

MD5 cbb67105199034e0f41a5ca007b9c597
SHA1 35f8301967851973d034174d9636cfdb83218e03
SHA256 97ee8dc7dabd2dae7926461972a8b2efd01fe3fb3dfb3b6dbc56bb368118bcfe
SHA512 e888acb75e5070b80ed55971b62f9b68d03f4c83cf67ddd763452e5b084900625b8c1500c038d08648e418f018f09652c1787ec301bb049dabfdaf9caac7a320

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\051697ef-52a8-4fb8-8205-4408897fccda

MD5 c61794ea9ec248a26db9ef3befdddbf1
SHA1 3217f05fd175874b3a9cec174025fb006e77d3fd
SHA256 709be50a69ea942cae31fcb60022e0783ae164f0d125f8c0ca4ff2f55b1533f0
SHA512 c93a9d3a00a000fbe02732eab42b64062224b7741a10429e509c4ad16daa9c59bf37e30d7c6007e18287cb0da95bda54a900cf3f4f2f5752d8f9c4b65f59b8f2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 5ab6045694eb300b7539aa18b688cb19
SHA1 cc6d4147bb2eb0917049641d2eb975f60614e3be
SHA256 9020ea3762cc1b7e8cf7d70db2c8e116c27c34abdb30ca13d34738af31d76c57
SHA512 ddf2c2248936f0a258d4ca92eb0b79f31d6d5c4cce7c8b4a071ec86e9f4645a050c41eb51121a1eca859f60b869a1118455057a06513ac7bd5795cae9790952f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9e3fc58a8fb86c93d19e1500b873ef6f
SHA1 c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256 828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512 e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

\??\pipe\LOCAL\crashpad_4192_HVTFMOSAWDJKAUMV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 4841e89da3403f07dc452b18f1cae5b4
SHA1 18765c27991d343eeb5afab07ba64779ef05412b
SHA256 fcd0d22f1b265d0d30cc8278ccd37a977b3b70ea49e0b0c733fdaa487a1a7f57
SHA512 4bd6b785711643e4eb91da12974537591493d65d3d935ebd8276402f2780626ab01adfdc1f2db3d7e4afe3c6c6c0c1b9a84a0f50778782ced758b76f8a72c79d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 90d4f6f48c94e37a1f5e7d6461a5b1ae
SHA1 0bcbe7307842c21474dedc5c542e2fa94fc7ef90
SHA256 f6e90e2f6f4f8f448bb59066b3bbaa97198e4fff979a60462f86c8e0d25f0647
SHA512 9f8586051e5dffe77cba4a826ece6fd4494fabaa67e58d77f36fec87bfb707390e41ebd8814bfff9304377ee2fd31564718524ac274ed99386977c4f762d952c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ed86a70815d2297127b9f5c7c827fb83
SHA1 84cfe83efb65c422060ee7e4d4196fd882189e92
SHA256 4f5f69f3bb3d5adc55770505c702bbd2b480b53e9efbd84a57a4ba650fc145f5
SHA512 effac11cbc190bdbdc614aecfb7400ad773dfd88f90c14aba98417618d4695c220947f8e29d327798dbebb602f96cc99bb8dd0de8761c14124b3113d43e57abf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 273b951c0a6e487d369dcabcb5e8fd24
SHA1 7da6928b47f6ffd233b904be9209d5a5a3427dcc
SHA256 b35b0d6c76ac646fd8948ae2eedb196cb3a6a44f1cf732d01104c37b1dee71cd
SHA512 fcc7f75355fc30fbe4fa7ad84551eed9bcad017b1d135c397d93b99b00ec49c9750adecbca427a8a1bb4584f45eff9f0c8139eaa4194a528486da5a41173655a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

memory/4148-441-0x0000000000770000-0x0000000000C38000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

MD5 a446b8681ab60374871bd3814f8654f0
SHA1 f32d7399575ed0bf3d86b9a0df72c06455036c9b
SHA256 ebc01082902906720536d0e2bf94126c4fcec3d6814e9bb89479039fd96d9c30
SHA512 b2db3274e99764ccbe01b85da6dc2793d631594e4f5ec8fcaa071775a7359c646252a160acafa2d17a95b24e51aab7e3c399427f31a5d9bfcc85321b116fccec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 102bb0bd68be2374bc22e18430b8b45e
SHA1 773bb875e7bae7c9280b3132a6ae06212cf063d9
SHA256 b426aadf132de8d8a4251d442ff25d41319214aa3e2993e43d4c3f8ad316ba76
SHA512 9eee6f437c904a7eff7c1b41264f72dae6d928e11c012c7bb8d39165ba86673c944756474955f11e1a43480ebf6075f7ad723e912a5cf03cb040e5295e9954da

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 24f21a2f78105b8e8d033b68e4030590
SHA1 c42fad5c1a512b8baf597fc43a2a7e7a4ac71f76
SHA256 e0b89862f5a067025d972a45c5100bca67b76f5e6126f8a07d52c5429b402e69
SHA512 ab19cde4d39265407035da2ac9ce510219eeff072b5c7946a7723cdeeb523bd0fc08729ebc667445e691d2f7483eeb1af847001561cc6a4fb490cef8bc625329

memory/3524-506-0x0000000000B20000-0x00000000011A0000-memory.dmp

memory/4148-522-0x0000000000770000-0x0000000000C38000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 c133b34e19a241b6b6d97064ec56549d
SHA1 5dcb3c8dcf8434fa5066b531fa810b22d1dfb1a5
SHA256 852039545e810c245ad6e982f2e1c45cc250face361ad34b877c974a96d7777d
SHA512 28f073ac77f79d8220afa28254dd24fdd33dacb1e0a58806c0734200bba73e6b021265149f75fbeec0ef11a8e594b5471a4ee520433f481b605fe50efa2927f5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 f1fb8fcc5d6f83a5bff040767b508c36
SHA1 c8d166d510a35c90bb81fd7d058df9497adcc67c
SHA256 72af56bc371226b6699cff85e412a9b8b0868beb4cfc00faae89e77768e7068a
SHA512 2d5050606b767310388b2b761729f1133d11196a7907ae36d18d558ee249f9c0e87ef1c2b1ed45e728d103ae940800bba4522541387105de947f3fa674a2d292

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5c21c2e14d1b5ce5e4994ae3041f0f96
SHA1 e43d52dd0cd6edc55f71786785a020affd62fb72
SHA256 9c1990c99918bbcd8baa00f480f3bc3ad0c1ec73c53fa5b45d40f2df63758bd4
SHA512 045ad463b5937320346f25f7186dfb5ddc496de6e75da1852c5b93ea035a45ff44f1e3372bb63331b18d85615e780e2452e73a020d7f9d7b2d07815fad126083

memory/5800-674-0x0000000000770000-0x0000000000C38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f4b0fcf9e8d69a6b763096acee6cc7d9
SHA1 11deeaea188829c9e2fb6064efa28caa5ab9b663
SHA256 5453eb3b9ac5a2588f1da5e4563e13499e88ca16b1c997a040d688ff4544fbe2
SHA512 96da0d96e4523cde57d81e17cb2b9e3adec9f545572947986e4e2a232738c69f667a8e82ffb36cec68c95184e3b8ed2dbaeaf5b6cbcd8e03734f459464877e89

memory/5800-684-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/4148-687-0x0000000000770000-0x0000000000C38000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\sessionstore-backups\recovery.baklz4

MD5 2b6612962cbba0ef3f9ac933070daa10
SHA1 e18a3675791cece3795a95b21be22fc7e0015c09
SHA256 9bf2cb7ff96b48b617299551c17e11f852f610fd8113ab171a775a66c8e6a704
SHA512 a6504d9893b3426f2dca7bf7d47c1d7b4d870d4574a1e9d0d6fd42556b4ffbd2e5f34dce8d0321e4838d29a1b5a892ca0c4806f0775bedf7091b88f7dd528278

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

MD5 0b2076d66d7d19ca340bd61a3a0d6ae8
SHA1 abc4ed58c192de47f5965833db401e401a366971
SHA256 6b29f0c0aadfd212736a1f5210e22ac095ab489909c47fe1525f1cda296adbc3
SHA512 03dba07382b55b1521e9e798c78cc2dbdfd66d2a94e71cbd06e6cda555a6b77670211a826687d470f05c669439aa1f38b1fd4c03f9a70b8aff31dfe3e8b48e5b

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 dc2f11c146bfaecda6da32bd08b273ee
SHA1 0eacbe9c09a73ae85fd183b957b14b15aa489026
SHA256 ae730f2c82c4cef0447e067abff963ec3b19c9b6fc4f125b5398a77d008d7750
SHA512 c10e97e92ce9efc080f375ea0e47f11aca4beb7794c101adba5878de85dbcc4e8ba9c6dbf3d8d49c1242d3eb88e4d47052454c2443e4c97f0c835b988b0407b1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 a622ef6724104d862d3f6a6c1847c668
SHA1 b2ffbb0782da716d7565e1e9c7a46e4f33f72c88
SHA256 65607e49e036483f38db967b1521682f05d08013372a41a6eb5b4310ac9f39d1
SHA512 6a07cf0afe66b4a8628af1e3cb6343f5d7a5438e94d52d8b6e7b196f53c6260e54dc2a4403e3c4901a7c99e285d8178b7484d9fe778c6f2c4b75b5a2bfd4e86b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 c15275a3fa8c8ae8ee885ecbf8a26839
SHA1 348a055695fa9095e7cd07fbbedf9ce320ea0c39
SHA256 c1fb02ca82d1a252fdbbfbc30e5510cfd863a7751bd1dc6953817ec77d136335
SHA512 bf3fcd3d7bf3064cdaeadeb379542298c38cfa8767af687e74a037a6bd123515a45b2f196b5144f894a723da9b02706f605042723dfb554c08c268c09541995d

memory/4148-802-0x0000000000770000-0x0000000000C38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 690fff3ef79d0567b9424635aa557745
SHA1 270b1a3b63a8e4a88bc6f6164d1488d23d84977c
SHA256 902f839333589ffa7043da3eee616cec4368c7e15161e5c475405b715d803f95
SHA512 37f9e94bb854dc12ef423045f0550f1caed91bf24f4b2bba092fd75ce9a963bd192c49517ddbbf5202a13d141d11bc056210475c0a997a30c07781de3501ec41

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 3e078f8a311bc3e97dfc03367775304f
SHA1 eaba8f913fa59d026a5caef478b5704bbff375c1
SHA256 0760ff77db563efe70c347669151205fe749be8acfe9d450f732f860a0fc3ee8
SHA512 49850a7ce1553d2b5e7a3fdcc45e53be64dfefadf4fbbd9d548098971d2cfe0d2ba53ec32c64878535c2f6b1d67a4c64ccfd1bd041e47f7851ccbad4fbe6d0c9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs-1.js

MD5 6bdd3b65bd1f7cd4f5d0b8f637a226dc
SHA1 45d3ddd655cd0290ee8321581a610e0c1c311377
SHA256 761c372fa08b3c401654f4670ee437598739d31499b15a1d470ffddb63a25aa0
SHA512 ada5bf7971114183f64f67ebd1e3bea20bb8479ca10330d7e850e8eeb3898198049ebe635a0303e5af64ded084b34b9f350b4d138b81a3942e27fd17b2138872

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\sessionstore-backups\recovery.baklz4

MD5 e3fe0472689be806b8c962fb93fca4d5
SHA1 e3c58f1c93460bfd61d66fdee69a9553e94d3b0d
SHA256 2cbff33f6e3074362c64dba65719f76af37b38e332244c9692014f7bfcea4dd2
SHA512 cd77282acd319c891523ebc963dde0f3ea7dc7d795569c1274f5325fe97fbf0c76321970a5bf7328a237ec426830394427a98aede71d518c27601a9dd7dafff5

memory/4148-2179-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/4148-3212-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/4148-3222-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/4148-3234-0x0000000000770000-0x0000000000C38000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

MD5 7263f3c98325f6f153b9af23d1949205
SHA1 5c87918bed7db77210b2e49224e133104ca5da26
SHA256 67f23c01a6ba09ae29f9fd9a4e5c18cb67729665e06eb0a224be5c910391d4ba
SHA512 3d9e908a63e4cfbc26a93774ef7315811e60f492b4a91cc16bae3165602998b7047ed18a2fcc4dcc21894d427bcc0c52db83c0be4fa1a2df3c7be7ca44ef4f88

memory/3812-3256-0x0000000000770000-0x0000000000C38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 cc16214fac17705bff29a1e08558e5cd
SHA1 9d16450ea93db09570dadb8deef17fbc3ddd7f7c
SHA256 eb190c49da41d65dccf577ba565edd4111c8509878b0cf057534ee753e734a29
SHA512 e9356896f91c65af40dd12569fa7fba46fbb759f0c8f53d6d803605beb35a9923d9cc99231a7e32c795a04d6f58596d59935fed120b3b1ddf5e569f50bc5e35d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c241.TMP

MD5 d3738a1145f72c7972362ccc4f245e93
SHA1 39cbcb089ba4722a598de33335187bae85b7a664
SHA256 c2ce7a6fe2b1a56b76f36979df3cb0cc34aee4bd6d7c3fd5f5be74c8a5d88ab7
SHA512 2634f30de2eaa8f2b26378ebf4edf1439d228da85d0035578e02122e88a2aae73d5903c7a6d98a7811fb6c40689b607914061a9e664a83fd00b5838526f05058

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f345854e349dc4bf86b9f84b5d87470b
SHA1 587b9995ecd92fd6649f39ed9f896650d1a2f977
SHA256 fb059f3d30e8f877571935b702df901cac439370206cc9d48b7b92228733b0fc
SHA512 58659eff4f715157034e81ea207c79142f54fbdc1b154f7dd187ddc966eb7d7e6b80f2afe04eb97b158181a96de00b8d1ce2f966d5b8bf03f2217d83f7b43f15

memory/4148-3271-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/4148-3272-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/4148-3273-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/4148-3274-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/4148-3275-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/4148-3284-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/6008-3293-0x0000000000770000-0x0000000000C38000-memory.dmp

memory/4148-3294-0x0000000000770000-0x0000000000C38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a5ccfebbc4f60b0a8ffd8173fdaf7283
SHA1 d958f65dd9af37760f46e542a052aaba01ca748d
SHA256 ebea5c9192c81bf9aeb04200f9f546bc17cc21a526d9324c03eaf5696ac1e794
SHA512 81e021a92b2260a38813e5057c1fb646c7893738f6439526bcd3930676f972257fdceb3ff784c076f1479d45bd9421f476a16f2bd2268c8b585e9d8ad5b41bac

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 09:42

Reported

2024-09-11 09:45

Platform

win11-20240802-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\47ee257e79.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\47ee257e79.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 232 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 232 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2736 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe
PID 2736 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe
PID 2736 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe
PID 2736 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe
PID 2736 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe
PID 2736 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe
PID 2736 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2736 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2736 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3372 wrote to memory of 5032 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 5032 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 5032 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 4764 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 4764 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 4764 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 1440 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3372 wrote to memory of 1440 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3372 wrote to memory of 3308 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3372 wrote to memory of 3308 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1440 wrote to memory of 432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 432 wrote to memory of 3592 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe

"C:\Users\Admin\AppData\Local\Temp\e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe

"C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\47ee257e79.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1892 -parentBuildID 20240401114208 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcc82183-7261-4fcf-842b-7ae8552ccd93} 432 "\\.\pipe\gecko-crash-server-pipe.432" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c50f398-face-4c3c-a33e-6ce6a7b92be1} 432 "\\.\pipe\gecko-crash-server-pipe.432" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 2608 -prefMapHandle 2900 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a61381c-b299-44ae-b07c-b624eccbe160} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3464 -childID 2 -isForBrowser -prefsHandle 3308 -prefMapHandle 2912 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c39f31fc-d546-4371-abc7-a167502c6b31} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4180 -childID 3 -isForBrowser -prefsHandle 4172 -prefMapHandle 4168 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae082f25-cafc-4378-9925-f170460655d5} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5028 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4980 -prefMapHandle 2792 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {980cdd6d-f571-4fe9-afba-d2124e0e115d} 432 "\\.\pipe\gecko-crash-server-pipe.432" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5936 -childID 4 -isForBrowser -prefsHandle 5916 -prefMapHandle 5908 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dbc8319-3ada-42f8-9b5b-ed7d410ed149} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6060 -childID 5 -isForBrowser -prefsHandle 6068 -prefMapHandle 6072 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2e7ba23-e1ad-455e-8c69-151f81419b31} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6244 -childID 6 -isForBrowser -prefsHandle 6252 -prefMapHandle 6256 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a547f62-52b9-4f8f-b170-700459f77df8} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
GB 216.58.201.110:443 youtube-ui.l.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.238:443 play.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
N/A 127.0.0.1:49845 tcp
N/A 127.0.0.1:49853 tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
GB 216.58.212.238:443 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.179.238:443 consent.youtube.com udp

Files

memory/232-0-0x0000000000670000-0x0000000000B38000-memory.dmp

memory/232-1-0x00000000778A6000-0x00000000778A8000-memory.dmp

memory/232-2-0x0000000000671000-0x000000000069F000-memory.dmp

memory/232-3-0x0000000000670000-0x0000000000B38000-memory.dmp

memory/232-5-0x0000000000670000-0x0000000000B38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 4f810a4d5286bf5189823ad3cfacd8a2
SHA1 c5c060728031b48834ff5a2739cb173a1879320d
SHA256 e9f315ca8e73dcdd580cfe25f9f231e73178bb876202112806ca5b65a45e93a1
SHA512 2557369861653779d600bba276e0507e3652da0578f0f40f6a47d2f28b9138cfc39929ec6b20cbe262f36b1a8a4fe1362592a02a936dd07a1eb9a569b1ed6937

memory/232-17-0x0000000000670000-0x0000000000B38000-memory.dmp

memory/2736-18-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2736-19-0x0000000000021000-0x000000000004F000-memory.dmp

memory/2736-20-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2736-21-0x0000000000020000-0x00000000004E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\e8d6e61f4c.exe

MD5 2436f5bc4146385648a72a27897ab578
SHA1 daf603434b49d4bf2866a3f53069845f05130fcb
SHA256 aee2dcc810b97f1bd7809146f7f33887e806561329c0b6288ecb1d315e4f6740
SHA512 e32cede58485391ee8621b939f28e7234095391ad67f944929b8475528f8a08f801d3997138c0935f40d17ec3e703d0d499e7427bcc570102636e1ea8cff2a92

memory/2012-37-0x0000000000E80000-0x0000000001500000-memory.dmp

memory/2736-46-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2012-47-0x0000000000E81000-0x0000000000E95000-memory.dmp

memory/2012-52-0x0000000000E80000-0x0000000001500000-memory.dmp

memory/2736-56-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/1460-57-0x00000000009B0000-0x0000000001030000-memory.dmp

memory/2736-58-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2012-60-0x0000000000E80000-0x0000000001500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/3372-68-0x0000000002670000-0x00000000026A6000-memory.dmp

memory/3372-69-0x0000000005100000-0x000000000572A000-memory.dmp

memory/3372-70-0x0000000004F90000-0x0000000004FB2000-memory.dmp

memory/3372-72-0x0000000005910000-0x0000000005976000-memory.dmp

memory/3372-71-0x00000000058A0000-0x0000000005906000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_53amve4g.jqn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3372-81-0x0000000005980000-0x0000000005CD7000-memory.dmp

memory/1460-83-0x00000000009B0000-0x0000000001030000-memory.dmp

memory/3372-84-0x0000000005E40000-0x0000000005E5E000-memory.dmp

memory/3372-85-0x0000000005E80000-0x0000000005ECC000-memory.dmp

memory/3372-87-0x0000000006EA0000-0x0000000006F36000-memory.dmp

memory/3372-88-0x00000000063B0000-0x00000000063CA000-memory.dmp

memory/3372-89-0x0000000006420000-0x0000000006442000-memory.dmp

memory/3372-90-0x0000000007510000-0x0000000007AB6000-memory.dmp

memory/2736-97-0x0000000000020000-0x00000000004E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\f720c149-62bc-4447-ade3-8a8afae84bac

MD5 88a42c0bb9a2543a542c1a0052c00ff5
SHA1 054b0f156d43ebf445ef216504aba67334067fb0
SHA256 3193c2da4e12d7a342ef52739515d50aa38ed50ac41bce986aeb42fa7db04d17
SHA512 98cc865fff8aaea8dcba3786ad5d5aa967ad7b6b0ca6aa0a4945be83c9a28861e2c059b00b5a154eb8a9855d73beb475b9503d3475c32bd7cd99109a22b3e063

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\95ab4c7c-6d10-4d12-8b63-8cfdaba3eef2

MD5 c25c0d8039a888a6ddd53067681a8965
SHA1 72e364152b18d2a4d2df9d2757746ea4364cd933
SHA256 ec32927c9fddd99dd41013769f30f01ee550680abe656ad23c6a7711f2a9c176
SHA512 fc7c198c24a2c2360df0ce88ccfa75ad29071991340fd88993034a74462794dfd2f174aaf579447c73cdded8feaa33a8e2b62c18fbf6e048178c5e2180305399

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\2db5da34-62ca-44b3-a708-7327b2a0204b

MD5 64289ac984faaf8a214d09a2f4296bb0
SHA1 43ef623355e17331a0b965a5a1c7d56f4bf00555
SHA256 5e8e972867f792aab56ec1125e1c92a8067a7b21781fe44f5edd193714914933
SHA512 95785f8bf4d3be19eb038d294cc93847ecfc92801d99a2e838dfa89d32f5ca0b165a0731133e67c4bfe61ee88545d93806bd888520bc584993d52900674ac8a4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 b3b110571bb4e7eacf1b4c696fdaf348
SHA1 5fcf7da86094d10d2561a9195de7378d003fe77a
SHA256 64bedc705c82a09f6aa25520a62eae11aa373f2f6ce4de77c60ccee9b7c281ba
SHA512 900c1bff878d16fc79b93abbc43e6a3940763d7b92183123b108d8e51bd799b4d1b424e893e7b9c5e44f77fceb81ada4b9df8fd78bae4045188d4ef1576dfcd2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 aa7a55517f3af5b65614d5d4882a1782
SHA1 28a54d5003b7cf9bf0a1a69082276c51c5692dd8
SHA256 4cc6e74e80e242eaa75a2bc7c4b2169c61289f00039a746fce4508ae171841b3
SHA512 f030c2f93dad1aaffe991c44e00d4f82e7b1205c5d776453b2dc1f269c702fb40b56044ca72f4519d36b2fffa5518432199d58a054e95d237cd96866081d42c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin

MD5 0922cd20e6a3a48fbedb34831f790623
SHA1 54285baa7aedd8a5cf3c690875d51c7106190376
SHA256 f717f8d001434e49d84d9e13b456c51b42edffc40cf0bdd0fbbc1be6fe2dc2b9
SHA512 fe896afc859cb28c98de0ac25777f441fb91e22965a56109fa04955c282c8ff8ce0bc6858412b92e3fe44e5e8b8ee0953720063e3046182d490d5647f591be2d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 bba31576cadd7695b5ac582301b88ef2
SHA1 e65d99b7da2be3355caf84e22de28bab1e046db2
SHA256 9b14b0d8f9ed1414221a5ca7fc9a9385ce0e857bd429bb1b342f208b9114aa83
SHA512 17f67646d1d2dd261a10911d800473059aebe6907f9094b847fb7cbc5cc194044fb57b6e9706bfd5bb0e04bc64baafc548456a480e1ee270b8982914cac8d862

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin

MD5 ab4d576e80dd9db75fc423f070431ed7
SHA1 6c32fce29557b0011770af2b36da54afea86ad13
SHA256 929c1d404b8dd78dbdc71332111b5de74def33bfc1d1b29bf6facb6437f73926
SHA512 e3319fae9d85bfa1ab1a8623ea5c681c5e46eaee959a0cbd4e2ead50e2595eff6e163c0bc174d67d1eab1b7868642c6f19b8775e514e735458a63ad946662ab2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json

MD5 879753165c1a015b4937a968fde9de18
SHA1 e4799cf20d1aa13672093e03732635506b803e68
SHA256 db2b96378460a3cd9ed857ea8316c476028ea8c9b5271b6b6ca883319dd9832d
SHA512 43927feb1d4946983004a66ae82d5cf4c0d6fce57fdf8474322efacbf95ec0e97655d6a8b0e31fd35cf955c7f004fedf237ec49f531c2f505962da7c91ab2f10

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 afa847962497f033a05b9d25b7cc04c1
SHA1 84d8ecdc103df1ce8c8a41ff011e3a5732d9958f
SHA256 47a60dc19e02fb9a05e92f8018e1895a52e11d62526f8dc3bf81c95ecebe3a52
SHA512 c7ad9b3eedcf3ce524b85598ab878c225b0ddb2fb78efc428155994973e823d6c2b4a3e6bad8a420e1cf1a3f225f28293d04d446df529cdf2cf27e8b1082cce0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin

MD5 0690f1b13b2691ce31916cc9be8a7c17
SHA1 242a70c28e2133ab641471e9e036017acc68a37d
SHA256 483e99f379c21676ca79650cbc1f8fe086962eeda0192ed915ecd6b66ef1c0f6
SHA512 f538ce484a295ef27352326480b5f8f56096cfbe6b2442734a46935b8e20477c95b7c10125f9edd20c19786d35d25567638b23c7f3241f730ac344bb8d3fe1f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

MD5 14ccbd41e37ad7ac0b223db0e8640f9e
SHA1 eaf4bdaefb362c88a383a02a24a380c130f95cd7
SHA256 dd12fc2564a128e1e3eef50f9a1fd37c9833f9eeeada00e14c4f00a12a514ef6
SHA512 e1181bd4f22628fb5bf12bdb0e606b16c04f2070e18ff217c79a67d319d7ea18c1de74ba1bc0a697190070a7184829f4b21764cb441a758935aed0fe9c00e30d

memory/2736-478-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/836-502-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/836-506-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2736-507-0x0000000000020000-0x00000000004E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\sessionstore-backups\recovery.baklz4

MD5 56a208cedda2368ffdace47373b70316
SHA1 36e1cc40abe35870dc8d11d6beaacbddf44b11ca
SHA256 45a66da2ce5bb02264c855b3b308ccbf0057a48505bd626fec0c74e4836fa1f0
SHA512 315176502f1f43152dd80a1bdd834b1a9283bf8d96f69cbb63f810035e8113484957e88009d1e690b0d7ec081458894818e0e6794363e817864dc11bcb6e12bb

memory/2736-514-0x0000000000020000-0x00000000004E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 7c97717fee2a52e266e45eabaf43f1ea
SHA1 c25d1ad40ec25fcbe7c9df7fe85454a2b921306f
SHA256 899c41071488b9c79cbb497f8f97d8f9d7ae7b405aa6a8020b0370c8f4bc173b
SHA512 0ea3926fc3a9089fb8dd2d8ebb0fd4e16e765a543792026e0b12ead61bcac5533e930f5d22a09732c5d476ccab3c79639224d34e7b8f363d7667b4b9f1cc76b1

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

MD5 42ff4af2e6270ad9fb78bcc4fc2e7e75
SHA1 78082344b08b7b315c7df6397a7f9bf16347f76a
SHA256 9f8abcf64c92173278b07d628bd96f36551b769a0d4c1a59455c7dfbd5085a17
SHA512 0e985babc13d7af39282a5dc8f0ae7e17dea52876bf98e9b677cc25ec4e3efcddd30d4b9b7dcaa975c03247201a14b0bf09edb4fa8cb75711de5ba0d5df84a46

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 c20a5a68aeea18e1f91ec90b0708b0d4
SHA1 d4b69f8dca4bd1882304308b3360e5761ac07286
SHA256 407cca4772a04fb67cd479d50161aa26b8f8fb9fadef91cc3210103b9df8213f
SHA512 ef8f0952c619a18379ded3a178c645ba2f1dda2b98afa08ef538597d580f35c0330d8af61b5575610d9a03e0522362a38f08493028536eb1df7bd90f7204ccbc

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

MD5 5f6ad7b2391a543e8ba519afd01bbe93
SHA1 0c424a05ef7ba92bec110261aa749239359977b4
SHA256 2fb57d8a360abb73d8e6d92b0bfe22232ab55f8ac3720ae92f042f2d895f816f
SHA512 686c6b9230c0284fd725e472ee5cdffd84302681a26e2cf6f59cbd0e55120f93bda98fd041a53a48e482589fee82fb6adcbce11ceb9547f2e7a8bdf93f0f45ea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

MD5 ad135fe319ade5e1fd361c021c792c86
SHA1 e98b752547a4cb32472fbf8369b2a55e9ed3e5b0
SHA256 00da7e8f7e29260cd9398f87dd71fa2564b66a5ca0774563f669e4290eb4a76d
SHA512 514f26692c60b863ef2aee3d708d82138384f7ce8c6400e8ec1f482db0adf9ce22dc6b2e21c240dacec2b6cd775de1bca854c7059ab59ce0ef884910c2ca71e7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\AlternateServices.bin

MD5 e9c5e0c765b5e4da8a60ce26c6c54f08
SHA1 1167acf787f96af81d4bb1fb0a7f38b928bcdc34
SHA256 6f3b2e9abc5b6fe267a51906a2e297f7a72e2e063f16f0ce40d21debf0c3ff4b
SHA512 336f258dafceb6d03891cd1d4eeede9becb5c785a0f0ef43252d8bbb7ed8068d1b4734589fa85c6cb3f2c433fab0126f82b79fd92034c97a9a575dbc6c8214d0

memory/2736-1398-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2736-2637-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2736-2644-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2736-2650-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/3424-2655-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2736-2656-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2736-2657-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2736-2658-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2736-2659-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2736-2660-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2736-2661-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/1464-2670-0x0000000000020000-0x00000000004E8000-memory.dmp

memory/2736-2671-0x0000000000020000-0x00000000004E8000-memory.dmp