Malware Analysis Report

2024-10-23 21:50

Sample ID 240911-na1zwsxfnf
Target abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4
SHA256 abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4
Tags
amadey stealc c7817d rave credential_access discovery evasion execution persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4

Threat Level: Known bad

The file abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave credential_access discovery evasion execution persistence spyware stealer trojan

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks BIOS information in registry

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 11:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 11:12

Reported

2024-09-11 11:14

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\c5815087ba.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\c5815087ba.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\c5815087ba.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\c5815087ba.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c5815087ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\c5815087ba.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\c5815087ba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\c5815087ba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\c5815087ba.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4356 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4356 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4356 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4444 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe
PID 4444 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe
PID 4444 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe
PID 4444 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\c5815087ba.exe
PID 4444 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\c5815087ba.exe
PID 4444 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\c5815087ba.exe
PID 4444 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4444 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4444 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 4052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 4052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 4052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 4396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 4396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4396 wrote to memory of 4100 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4396 wrote to memory of 4100 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4396 wrote to memory of 4100 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4396 wrote to memory of 4100 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4396 wrote to memory of 4100 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4396 wrote to memory of 4100 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4396 wrote to memory of 4100 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4396 wrote to memory of 4100 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4396 wrote to memory of 4100 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4396 wrote to memory of 4100 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4396 wrote to memory of 4100 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2516 wrote to memory of 4060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4100 wrote to memory of 4484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe

"C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe

"C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\c5815087ba.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\c5815087ba.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6ffc687-3d39-4af5-8708-e775187ce050} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb1b5346f8,0x7ffb1b534708,0x7ffb1b534718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xd0,0x124,0x7ffb1b5346f8,0x7ffb1b534708,0x7ffb1b534718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {169cf00b-7a3e-4a03-b574-7e7fc0feb3fb} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2988 -childID 1 -isForBrowser -prefsHandle 3412 -prefMapHandle 3060 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2c21ae0-a61a-44b4-97e9-6ceb1b571288} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3624 -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3616 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7a468f5-ffc9-49d6-841c-7a0c94f8c6e5} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3840 -childID 3 -isForBrowser -prefsHandle 4016 -prefMapHandle 4008 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d57322f2-961e-4251-b39f-467edc5dcddf} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4888 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4892 -prefMapHandle 4880 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbcd0302-17c2-4828-8169-db2226845a45} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,72401746978421112,15445046266234373474,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,72401746978421112,15445046266234373474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 4 -isForBrowser -prefsHandle 5804 -prefMapHandle 5800 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9923fa73-0f27-4f14-bc3d-02191db62368} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 5936 -prefMapHandle 5704 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b57b0998-b687-432a-bc12-f3a9c75c5647} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6104 -childID 6 -isForBrowser -prefsHandle 6112 -prefMapHandle 6116 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d258f5c3-23c4-49f8-a6ce-6996ef63c89c} 4100 "\\.\pipe\gecko-crash-server-pipe.4100" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,14850291081931037230,12825174762660473616,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2504 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 172.217.169.14:443 www.youtube.com tcp
GB 172.217.169.14:443 www.youtube.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 172.217.169.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 158.124.235.44.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com tcp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
N/A 127.0.0.1:59408 tcp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.238:443 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com udp
N/A 127.0.0.1:59422 tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 238.212.58.216.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 www.youtube.com udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com udp
GB 216.58.212.238:443 play.google.com udp
US 52.111.227.11:443 tcp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/4356-0-0x0000000000B50000-0x000000000100F000-memory.dmp

memory/4356-1-0x0000000077654000-0x0000000077656000-memory.dmp

memory/4356-2-0x0000000000B51000-0x0000000000B7F000-memory.dmp

memory/4356-3-0x0000000000B50000-0x000000000100F000-memory.dmp

memory/4356-4-0x0000000000B50000-0x000000000100F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 339004dd3f0e7689908bfe8f0f275de7
SHA1 3e095a60342506e00a7bd7ab9001b4997105c7bb
SHA256 abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4
SHA512 f71822833f56fa77a9ac61a7e4803f58f5ea32f5f43264b260b171f8d1e541f8604989d1074a899d6b7923c9a6d667ce41528f17ffacd946ed85cc40b306157c

memory/4356-17-0x0000000000B50000-0x000000000100F000-memory.dmp

memory/4444-18-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/4444-19-0x0000000000CE1000-0x0000000000D0F000-memory.dmp

memory/4444-20-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/4444-21-0x0000000000CE0000-0x000000000119F000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\2f82298c90.exe

MD5 250051046eae3713ed1af118169d9227
SHA1 66ecbbeffdbb6bae912fc9f21b52faeac7b73d49
SHA256 c1d2816e557482077a88b8e23581cd82a92dfca70fd1e7ceaec4ba3adbd7d136
SHA512 a9a49aaf7e56466ec9cbdf86564ba5ad875d8233f12b26c718dc163dfb7d9e139891e5a422eca933e41c3bc19d5dc62d47606e23019fb0cce8f281a981a82d1e

memory/3652-36-0x0000000000DC0000-0x000000000143F000-memory.dmp

memory/4068-53-0x0000000000730000-0x0000000000DAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/2640-61-0x0000000002700000-0x0000000002736000-memory.dmp

memory/2640-62-0x0000000005230000-0x0000000005858000-memory.dmp

memory/2640-63-0x0000000005140000-0x0000000005162000-memory.dmp

memory/2640-64-0x0000000005910000-0x0000000005976000-memory.dmp

memory/2640-65-0x0000000005980000-0x00000000059E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2z30fqkb.2gx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2640-75-0x00000000059F0000-0x0000000005D44000-memory.dmp

memory/2640-76-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

memory/2640-77-0x0000000006010000-0x000000000605C000-memory.dmp

memory/2640-79-0x0000000007380000-0x0000000007416000-memory.dmp

memory/2640-80-0x0000000006510000-0x000000000652A000-memory.dmp

memory/2640-81-0x00000000065A0000-0x00000000065C2000-memory.dmp

memory/2640-82-0x00000000079D0000-0x0000000007F74000-memory.dmp

memory/3652-84-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2dc1a9f2f3f8c3cfe51bb29b078166c5
SHA1 eaf3c3dad3c8dc6f18dc3e055b415da78b704402
SHA256 dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa
SHA512 682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\9715bd80-9eb0-4a61-b986-6a0d2371faa4

MD5 f724d768fc2e4cfb8419d77825b5e519
SHA1 8a5ef89db924fcfbde0441e10ff519276a703c2b
SHA256 c877faaaba9f2413b1ff624a540f548f3278620372bfe9602cc60668bb1b4264
SHA512 da81fa7cd975fecd0596c1dd2bed867b96d287ac0c69669bccd22f8bddab554ddbe367b717924009108f222e9819579cf4274c8627d290e9585b46cd93bbc05b

memory/4444-337-0x0000000000CE0000-0x000000000119F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\50aacc54-322f-44aa-9d0f-887da58863b1

MD5 c4a0eecd84537bb04fb7e190ee08f2a3
SHA1 a1cc96ceaf3030eb42e96c3bbe5580c6e5f13807
SHA256 50c8301a17ebb77c8491e0d3e1a573be9d3929df2728642600dcb52236e03918
SHA512 b9dff8723145025a00f3934a34d5a855d99d45a127c5536f0ea9c10904232a0528ded4ce9de6681cbeebe63f2ebeef37d659c2860a43500ff69d4af6f4c40b7b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\00048981-8b46-42fe-8ee8-62066ae9c4fd

MD5 841fff2680dfd9145cc1584b1a42d995
SHA1 d32cbd8dcfaf6988061b1054149b167b9246a1a4
SHA256 d31497652f95122eb07dc07cc3bfdce8b37e651f14620868c21a4231226351af
SHA512 c359414edf57844fa245a53090e6619749ea965a30fec052a85c7fb1caed4b6f2cfe1ed3ec3b4f39417934e20b588064a2f6e70c6322542b78b679210166be24

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 bd845dc753e5cd40dceeaa03e3368ae8
SHA1 a4f18117dd968fd523c40402efcc67eb6972182f
SHA256 211d910b7ca2ff92147397b1f0294c8e5bf689b814be06a2b54ed401631dbc67
SHA512 4e7767c53bc3b1515efa1cf1807e24a921c214a20a0a4fc5f6d80cdb13a423d111570de46ee1f750052874096005f8115c972c1a925c8619c8265916c337638f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 b5b38f7e1caf375d2437795097b7aa99
SHA1 7188f76a4bcd25772f3412a8911779980724bd3a
SHA256 92756df281539671fcc60dbefed89e98324cf53b4bf04222676b7b40bf1e4392
SHA512 687097653f6287ba01d1c29b1308ad44556bc652b95b1c86ada142c0290fa37489e39ea1480c3ba2558d1a785746cd193cf6083b5956758ff6135d94de6d9cf5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 e2c89c254781ffdcf83642da3a8962dc
SHA1 598db1888c2401d0cb0827c12328edd8f1e8bf87
SHA256 38b6c899eb02afa05103acefd2264aefff566f885f31f4719eb6596b53a7063e
SHA512 a8bba6c075b7b5f034b1d7269d52c95d82251c77049c660de4d41d31d450589c62ec561aa067e9b663eb4a8487475592431d603c1f29ffabc4fbf8ed82c3b9ce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 97e39a3bde05fdd6bd0194817342e49e
SHA1 75f63d9005f5ca6dd2ccbaed4003284b073b9497
SHA256 e8a7fb3c47a05f71f63d027f626df3bb597c7dc1bf96ec246ee5847b82b1f1d4
SHA512 4e634a745322274a29ed14f7176de1aef6d913b37c9f1ebf71e673c219b9572717d196a3c75bd485d458d8005c4e8d74eb61afe4d4efeed4947fc7073d546055

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 1153dc4f8e25574a0d788972a56c7485
SHA1 0e8b3866627b543af89f46c0fa8e51617702802d
SHA256 47b9c827da519b02dbd42d0e67ee8c098c972f5c564419fe232b03ac542cb268
SHA512 364458ef64deb2db98a8e924ebf8e8d46d7abeef5dfc0e1c79593d989f054c244a8ad9bb51b4689c4b4c1a06faafcff24cf3837518b07c672996e1372b842947

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 26f4ebbbec6d65b12e0d126580a89fda
SHA1 4d7a3b361240174c326ba6e9aebacecc2f330f90
SHA256 b23c040e7ef5d2a510d274b1057661fd1119103daef802db1f2b90562bf3e8e1
SHA512 546bc5564279f7b179433a3b1d739bb575a657df173c916839947087594514dec8f3d76ee2978bf9b32a3c1cde54297c03c52e383b05f40adbc281853701cfc6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e4f80e7950cbd3bb11257d2000cb885e
SHA1 10ac643904d539042d8f7aa4a312b13ec2106035
SHA256 1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124
SHA512 2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

\??\pipe\LOCAL\crashpad_4552_ZEQKCSAFLGAZTIAA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fd42c9c6132544f42cb275b7f0239cea
SHA1 d506aca29bb209f9590d9804fb98264846ef6927
SHA256 6c6b7b8ada54afe8fc15f19462e9275baaf6692942e795e0a16657aff2668de1
SHA512 ad4a384eb21036ce850f7d11bba6b9f4f4111e59cf8e4ca42f74808f8fcf6dcbf19ceaddcc2004420a18f47461500aa414a274f51154206fa2cffa2f933b94b7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

MD5 6126ccd9a6ae4dbcbf226e01ac0fb3c2
SHA1 6dd7250edf8a6910d024e582e09f088674e94413
SHA256 ff203c4ebbdb6c2c3f006133980ce41339ec632da7087e29fe55673dd177a3f7
SHA512 9d64ca1a8ef6fb15409b96564364c591e18615ecd4642f80562ee8b637ab732571430ccd139bef9b7314edc255b6ab05090895896c1a39f119770d89e9d023a6

memory/4444-480-0x0000000000CE0000-0x000000000119F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e6c6ec7bbed5b4b21d78934aa09fe792
SHA1 1470baeff48638ffcc7a6fd965c2ebddfb9abe50
SHA256 0bd0a4ed3c18678ae307ec1f0acacf910e8b5550f6973d23c21ff8bb01d75d67
SHA512 a02f5e8d7d2885a5a9d0c9fb94b28ddb914e3c7cf597eb03bb0bf2b7de59ed9d42908f69adb70b7ab98d83af27ff3e6c7e2a4ec39133b54a98eb5672c63952fa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 8ac51d0d3ceaae70b571437d26bca243
SHA1 def7d6f5995fc8c2151241f6a6f0b722a4e0e055
SHA256 39f0451cf5aa5d802eb3eae9fbbf7d93058bb25a0595c78d38b562f8ce34883a
SHA512 16a0146df023d3a0684c77834cf9810323a95c0be1876262813592dfaa67fb63bad117792047bb55dd5141fe0a507df0eca353555041a8829ea005ca96e42641

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 e09f9ab171dc7f851c0389fb0cbd34ab
SHA1 eb950bf5d50501a9f9ae62048d5e99bca889bf48
SHA256 b20775e7fa279c171557fbbb03363e0eb8c9965feb7183afe093388629c1c595
SHA512 55a65a53a37b06d4001ff15f08840d5de50e72a0710638c5399e1d961ec5e0275da04999e520a8f5670e9843047afed23d71daaf27025d72be0541f45e310478

memory/3652-629-0x0000000000DC0000-0x000000000143F000-memory.dmp

memory/3652-631-0x0000000000DC0000-0x000000000143F000-memory.dmp

memory/4068-630-0x0000000000730000-0x0000000000DAF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 9bcd42f570d7ccf63251c01a34586e5e
SHA1 bade4352229b0f70020a9bc4fc971f4982a63c2a
SHA256 a8114e702f955c0993bd5e3c2d56f34304f33abf8103894d0621c5823fbd79d2
SHA512 0fb0cd2503fb375a40ea4e836892c647f162c49c7e165b6c7ed5a03e8991e8182954d09a1be45517ab384bbaf5e803318c72d1dff9593d596321afc5c4e4c6ba

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cookies.sqlite-wal

MD5 6b1723009ab16e1c078d462c3e3cb26b
SHA1 824bc50bc199043a4f38995f223c0f91556e00b3
SHA256 53e39caf6718b9274ca909bfa1fcefb306f4ab3d633b6ca789d482e0fe4fed1b
SHA512 17f8c5d2533a92a7c8af2f8067cddd5e0409d01522c988987a6f5510e5aeb4ebd3c21e7c18c6b1c055508525d49fdff3272b4dd44cea7d36851fdedb42180c8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\places.sqlite

MD5 4681909ea2b4a77e53fd185e4a838e88
SHA1 db809dd699853b6e1ae70eb5111e844fe77d5e3e
SHA256 ed4e88b630da59bfe6f0989e5a2c5320a5da2147226f2ef1a49605ce6e858f4d
SHA512 c8e1fc5bbcb98fdaf37ab16dd771e8b955303dbb58be342823e54e0944f0c0a459fc7bdaa61abd50d1f3962ad68a427ce02873a634b3c9d6755a08eb7a23305e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\places.sqlite-wal

MD5 31c480d2f970d812dee332e478c2e7f8
SHA1 c636b61f3bd14227191956f513141d731c404933
SHA256 dba0ecaac2a7acf4d340f342b9dcfd4ffbe8a5964a1cf35ee293b971e8939bac
SHA512 76c193ffbf696c9ad3c80ae69686aec48e163192d5299345a0a6709ac1c3a70ac4a590268ad4ccca7905338ece3800b16a0d698bac394919b4df975652e3dbcc

memory/3652-712-0x0000000000DC0000-0x000000000143F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 97aba7696d6a046e007113520370ca19
SHA1 2a9e2cf9f6ad18f92f44a52a169d597d15a1c7e3
SHA256 318b0f04633d6b3f087619a490bf3843d851877e508b260648d8530b5ac3e3ce
SHA512 c1aed0165a4d509c6b9646c5015be65475f5337c4db200d24274ff64d7834bcc011cf95be7e4dc35d159e415664ab8962ed76be8c5c1a18d3597040a49db63cf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c2a7fef2784c29efd1bfb17536c724c5
SHA1 672409e5fe79e29191d02219a3726fac30e9c487
SHA256 da1a08e098e5adade2a2264496cc8daafd2ec895b65376c58cfb62cedfb2183a
SHA512 5172bfa7c843ff247c0acfac938cf6ad21fde4c7d94f668240a8d4afe4fb22e8237fe38124c3cb2417fc5cf15a404ea0aa3a71a9f0661febaca159de057983bb

memory/4444-729-0x0000000000CE0000-0x000000000119F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/4068-739-0x0000000000730000-0x0000000000DAF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4

MD5 852ee3b90cb4f6534cf1ec3ebbddb6ac
SHA1 b793d90dec154765a2d122db50b3f2ec4cc7e61b
SHA256 827a993a6f135f89a2ec0b17fbc569d3c9028c18c6e960d66dda076042b9e3e2
SHA512 8fff3a2c12a7e04df1166e68483de45342df345b78c95b58a8016760281ba4da3a5369f794bc377ee8fd15c5d64e1657fb1a6c18a5a3ea3a943100d336a30e61

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 df7cfaeca1c96ea0ca63bbf2b3a42ca1
SHA1 ef947d88bdce996927a551611f5b59977d05907b
SHA256 ce9f47302570b484d9649d909454f038a93dca56b9767e7b5914272a28ce8702
SHA512 c73be37f42e5e5764670580af8756bdff8d2f2dfc5269c5417294c6f2764753baffe1c79aa2c4b357ea88faaf079fcd0335914bcc687995a834f744793d2cc91

memory/4444-754-0x0000000000CE0000-0x000000000119F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 219931d4629e3e6da8da1c894c79bd53
SHA1 18928077580fe9852b781a4507d6ad91980e2cce
SHA256 af7fde9f09ca26d9db23cdd81ee9c0827fa04c595be11bb8564e0f1f409e4e70
SHA512 753b13609833fce6a039ef5ac0e0f031821201b3928551d554c7f80afe7e23e450501c66b4547e9a874cd68060a7a9020a3052373b5a134d31054f8e0a6b1691

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 c4d922301db4d829db2697e515460c15
SHA1 dd6de2e4c0556f2d6820d326728c430fab04b5dc
SHA256 c640b669577953205bbfe14be9a5ce74056edc05512d2c54194810083ff150c7
SHA512 3f3bb0bd04cf79995908b4f7daa7b03daf171d3cab5f1ede70469d9866eb326c22bf4e4ea2536f291c0f4debaac2e70a8ab75e2b6e3768b5c59e2e2b20e28489

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 f59ed6c03d82ef4a6a9e4a5858023356
SHA1 e507568282ff1018719c8e234682ed8e7d622e2c
SHA256 8bf994ed3a8853b09241a135c747b91a03ee17e849386aa6e99529a47f834c57
SHA512 d61aa6968634d19cbd90c34ab67ec8f88c4e148ea5f6b16c66f94fb8a79e093c1352226c9d194f18befb193e9435646465782cb9ba3ed93c604fa2fc42030fb3

memory/3596-855-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/3596-877-0x0000000000CE0000-0x000000000119F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9ae5fb810565076801fd189dac5804e7
SHA1 c90180182b66a463184afe6f766d69ed564ec73b
SHA256 eab701c086b3e4ad2c34731244e324c5ff19c62ff2b3a052edfa212a73b0d41c
SHA512 2618be5c8a4c6c1d11b516c9258a15c2d18ce45ccef51b53fbcece8e44f93edd40951d85276c21786faec59ea80dcd10d47cbfe4f144c793dd482ed8d81ab0be

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 960ed4d1ef786918d94476376aa03117
SHA1 32d5e0079aa8ff4c208b77a765afad66f864c4ac
SHA256 3bbb82b09211d284b3ad6bd270d7d40b16d203cc3ebd062f2b8b2b5bd7605723
SHA512 15e169b6fd86a174d1291308b72341e4c916e2d6cf1f1dd256bec959a8c8ebfca3b9a4e2962d56cbd2b80282ff86c1dfa3e2b33f549065039f3e5e71ef26c19c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 5b113fbc6f8af2806ae8b457a14809a4
SHA1 6d43ba8fda5c1d1c04d62bffd49a4b5ee6f7b3eb
SHA256 ae0c3e3bd36d044f1e438bb99a60c1f05ccabc1fd5957b955443ac0927f2d2ed
SHA512 48331c824b18e4613c087d7a604a4d33011d93a1e53ed16b92136907a6f563ab72b41e2609f0f7f72c5041e931ea9a10adadb1efa2329a381840cc0ab7bbf439

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 76fbb4da7662c58855c4fc6f0f71335c
SHA1 07227c781a542e790d635510c4a93550b46ec904
SHA256 75a53cace836881b35c3a04d3b572e20e4cae994e6e6d01305094f378d6107e1
SHA512 71954271696b2097f6f3b707973351912ae6ba955b844b8c8faac35421b88b355ca1f48315993ea411e3d18d005274e70ea928b3bf54f898d408afdf15797630

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 7e6a17c556e176c81bbc8c932c152d9c
SHA1 80e6cc1cefa4c1798102b2d62a333f1a85fd1d71
SHA256 012dbc791837b041e8f4ef91c0692fe880860c1a243fa8ff4b2c979932e2ba57
SHA512 5887affa06093b3c5e8765bf7f17b5f7bf3e0bffa508f90b187b43869165fee0929b9ae0a000b5bfef7314749307dcec404abdd72112ef45e4308078ca5de93b

memory/4444-1123-0x0000000000CE0000-0x000000000119F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4

MD5 86b2964830f23c3e12c75eb12b082a86
SHA1 2d667a328f8018d559eb2fb8c0fea9247590d6df
SHA256 5d7844ca034e23dc3b0d5511a2c6d3231da1fce9a80c6b0cbc0c02e7cf69c4bb
SHA512 477ef136ef1bec77fa048f092925145a6fed9854d3f7b59fa6c135bea91399568ec95a69ca36dd3645dbfd5dca3724cd4ec9cfb94c5cce37d5669afeda1e0119

memory/4444-1517-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/4444-2058-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/4444-2601-0x0000000000CE0000-0x000000000119F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 039dbbcbcbb398212c4d95245a8d4b4d
SHA1 efacf1ea072e5735c0c6251ce5d6166ec42b52be
SHA256 ed86f3e01171641d3120828dd7d72e4340a5761021c5784590f78f1f17fe1b66
SHA512 54be552920f90380b8e705e9b55507dc88815a19a058f134b493e4627dfdd90d9bf447e270e42c17dd71ecccf766983b67a8284aa54eab3df8a45f5070b12e11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 fe48811318a60e9097e0891ca8dfd2e1
SHA1 45d44775485b0c9dde6199b05a27b7802de32b23
SHA256 0152b1d37e22e21635896c92f36c3b7d98ccfe73090decbab0475d45fcf57d4f
SHA512 7e2867074f0961fefcaadaf04b5b39cbe4078dae358b819e0092ca7261102612b332a13f0d4fc3e5b652c01d942c4b766bcad3e48205da8d03ede3e0eaeed408

memory/4444-2950-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/4444-2953-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/6200-2955-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/6200-2956-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/4444-2957-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/4444-2958-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/4444-2959-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/4444-2968-0x0000000000CE0000-0x000000000119F000-memory.dmp

memory/4444-2975-0x0000000000CE0000-0x000000000119F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c44655fc188d1969ebff61e535721bfb
SHA1 74eb12925264d32e01b1d687cddd61656c99874d
SHA256 c9ffc28410b168db1edaab036e9c470942887c3c543a8c95fc5747115869818c
SHA512 ec06013445775f0cf2f6072b0e28e59765eaa52c60f0758b535c4c08bb0e3663ec7a3e9bea3334626173d22416136ab6b7b143f15acc43d44d7ab01beb2f8ac5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59e7f5.TMP

MD5 bddda6a5b2e93302a1322215a3de9cea
SHA1 b9fe421236e8eea1298ffeddc51b29169b98302b
SHA256 69eb0a5b4e4fc3013b9e3831f57ee854ea7a0f36d1a8d90988e10b14d2a1a0dc
SHA512 9ff8c4f415184e1588bdd19d6169a7fc5b677e594180dcae01024d6d24786dc3a6aa449a39565555d47af9d765cb23975914626b213485ba6b297c176c07cd76

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 15b69537e992ffdd355e9f7e0c5b8ffd
SHA1 bc00db725df7a80deb51933a0b9840b6496b111f
SHA256 6cdb4a26ee23b2679bcbd98d97402d65bb61304cea4d832527879c30081924e3
SHA512 2b5e9aad54e1ea371e2dcbc26f31c093441478d96800ea2d69ef59e68734e0a3e33a8b0dd8fe5014d3a8d613dfb2b059843a1109589f8a92e93fb88c1f83def8

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 11:12

Reported

2024-09-11 11:14

Platform

win11-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\11ffb6da61.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\f37d681551.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\f37d681551.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\11ffb6da61.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\11ffb6da61.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\f37d681551.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\11ffb6da61.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\f37d681551.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\f37d681551.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\f37d681551.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\11ffb6da61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\f37d681551.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2044 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2044 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3500 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\11ffb6da61.exe
PID 3500 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\11ffb6da61.exe
PID 3500 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\11ffb6da61.exe
PID 3500 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\f37d681551.exe
PID 3500 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\f37d681551.exe
PID 3500 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\f37d681551.exe
PID 3500 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 988 wrote to memory of 2988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 988 wrote to memory of 2988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 988 wrote to memory of 2988 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 988 wrote to memory of 2668 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 988 wrote to memory of 2668 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 988 wrote to memory of 2668 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 988 wrote to memory of 2348 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 988 wrote to memory of 2348 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 988 wrote to memory of 2232 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 988 wrote to memory of 2232 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2348 wrote to memory of 4696 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2232 wrote to memory of 2680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2232 wrote to memory of 2680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2232 wrote to memory of 2680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2232 wrote to memory of 2680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2232 wrote to memory of 2680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2232 wrote to memory of 2680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2232 wrote to memory of 2680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2232 wrote to memory of 2680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2232 wrote to memory of 2680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2232 wrote to memory of 2680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2232 wrote to memory of 2680 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4696 wrote to memory of 4612 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe

"C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\11ffb6da61.exe

"C:\Users\Admin\AppData\Roaming\1000026000\11ffb6da61.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\f37d681551.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\f37d681551.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb90e537-5ab1-48a6-a61f-c3232f2d81bf} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af8bd459-c96f-40e5-bf3e-f5770ef67bab} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -childID 1 -isForBrowser -prefsHandle 1680 -prefMapHandle 1676 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3fb4ea0-575b-4d92-977f-529e383f8c8f} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3748 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3720 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {876a37a4-924c-429b-8286-c1d1190c2347} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4284 -childID 3 -isForBrowser -prefsHandle 4112 -prefMapHandle 3728 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcb2b391-83a6-4f42-bcac-9ab5771897f3} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4772 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4748 -prefMapHandle 4756 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b9524ec-a321-4dcd-b8bc-bf2e04f98355} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 4804 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2653c47-b9c4-4764-a800-5fb7efbfcc62} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 5 -isForBrowser -prefsHandle 5776 -prefMapHandle 5784 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {551290ce-8462-49cc-83ed-32ed3a90b3ec} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5976 -childID 6 -isForBrowser -prefsHandle 6052 -prefMapHandle 6048 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {248ee527-5652-4ead-b548-6102767ccfbc} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.187.238:443 youtube-ui.l.google.com tcp
GB 142.250.187.238:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
GB 142.250.187.238:443 www3.l.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.179.238:443 consent.youtube.com udp
N/A 127.0.0.1:49839 tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.187.238:443 www3.l.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com udp
N/A 127.0.0.1:49846 tcp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
GB 142.250.187.238:443 www3.l.google.com tcp
GB 142.250.187.238:443 www3.l.google.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
GB 216.58.212.238:443 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
GB 216.58.212.238:443 play.google.com udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.187.238:443 www3.l.google.com tcp
GB 142.250.187.238:443 www3.l.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 consent.youtube.com udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/2044-0-0x00000000002B0000-0x000000000076F000-memory.dmp

memory/2044-1-0x00000000770C6000-0x00000000770C8000-memory.dmp

memory/2044-2-0x00000000002B1000-0x00000000002DF000-memory.dmp

memory/2044-3-0x00000000002B0000-0x000000000076F000-memory.dmp

memory/2044-4-0x00000000002B0000-0x000000000076F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 339004dd3f0e7689908bfe8f0f275de7
SHA1 3e095a60342506e00a7bd7ab9001b4997105c7bb
SHA256 abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4
SHA512 f71822833f56fa77a9ac61a7e4803f58f5ea32f5f43264b260b171f8d1e541f8604989d1074a899d6b7923c9a6d667ce41528f17ffacd946ed85cc40b306157c

memory/3500-16-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/2044-18-0x00000000002B0000-0x000000000076F000-memory.dmp

memory/3500-19-0x0000000000781000-0x00000000007AF000-memory.dmp

memory/3500-20-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/3500-21-0x0000000000780000-0x0000000000C3F000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\11ffb6da61.exe

MD5 250051046eae3713ed1af118169d9227
SHA1 66ecbbeffdbb6bae912fc9f21b52faeac7b73d49
SHA256 c1d2816e557482077a88b8e23581cd82a92dfca70fd1e7ceaec4ba3adbd7d136
SHA512 a9a49aaf7e56466ec9cbdf86564ba5ad875d8233f12b26c718dc163dfb7d9e139891e5a422eca933e41c3bc19d5dc62d47606e23019fb0cce8f281a981a82d1e

memory/3528-37-0x0000000000DA0000-0x000000000141F000-memory.dmp

memory/4568-53-0x0000000000F70000-0x00000000015EF000-memory.dmp

memory/3528-55-0x0000000000DA0000-0x000000000141F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/988-64-0x0000000000BB0000-0x0000000000BE6000-memory.dmp

memory/4568-65-0x0000000000F70000-0x00000000015EF000-memory.dmp

memory/988-66-0x0000000004EB0000-0x00000000054DA000-memory.dmp

memory/988-67-0x0000000004CB0000-0x0000000004CD2000-memory.dmp

memory/988-69-0x0000000005550000-0x00000000055B6000-memory.dmp

memory/988-68-0x00000000054E0000-0x0000000005546000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bs4ppvmb.qd3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/988-78-0x0000000005780000-0x0000000005AD7000-memory.dmp

memory/988-79-0x0000000005B50000-0x0000000005B6E000-memory.dmp

memory/988-80-0x0000000005BA0000-0x0000000005BEC000-memory.dmp

memory/3500-82-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/988-83-0x0000000006C60000-0x0000000006CF6000-memory.dmp

memory/988-85-0x0000000006140000-0x0000000006162000-memory.dmp

memory/988-84-0x00000000060E0000-0x00000000060FA000-memory.dmp

memory/988-86-0x00000000074B0000-0x0000000007A56000-memory.dmp

memory/3500-89-0x0000000000780000-0x0000000000C3F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

MD5 fc38a59cf5daa2b9e67ea0d98222dbf6
SHA1 9b300c26520ca08e562469713aacd96cbf6466c2
SHA256 fc99de14201f81b1648c9ffa69427b36b5004cb24328c4cda5df5ef19eaff3ea
SHA512 d89a53b660347615ef30d3af69716bf04d13abec09bde8e8b124ce9c15ba4bd3d18af1d413ee774b060f728422026e68c3a3f6a7fbecaa9b4d0f11166a2cb17d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 2a9b08e9edc6b1033590cdf9b8cb4236
SHA1 3059218d2c20f295c6e2c2b39c723afa5f9c7f13
SHA256 513cb4dda58368a527518be8e0129405e8776e59ac63f7fbb1faa7cdb09c2652
SHA512 56fe37f6b70d6aee64abe4c68de323cc563971afc4a2f2e51fe39169c802ed34b86261289f02fe80a506aeb4b999e872c226a203b47ef312fa80108b9686e484

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\9c2e2357-7250-4c98-85c2-af7576a44da8

MD5 6372aa9031da3a306733a056d832f425
SHA1 f3967c1019fc63538b867a50c33da0d0b2afb496
SHA256 2cbf2ac024f60568fd6fe6e18a9c3be02f15cc66d42bc76717b919c352d1cb9e
SHA512 6fcde1708234e18a728fb74b581be274377f9cba4b0fa2a27b1f99998785528acded7aa77eb6322099d6ab3a9758176fb4b40702a45f0b01cc15391610399b83

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\9383ccec-287b-4592-ada3-dd743c0c7892

MD5 615513e3f264cec9af2b924ac7901814
SHA1 73d1db9c1f49a6c4787d538d73ee9937179dcc98
SHA256 f2814f08b427821cda28fde9ab5c8df3be891f6804fdbf1730b9da35e1bedef4
SHA512 d47011e77fd5c9048a47eb410d72cdefd3e53b20686e08057c94c59c02de71d852115418272fe91f9947974acef5e712e20bf6bd161d8f38ac3bf4a3e4df3dc7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

MD5 8429f864a16254ef25c5b8745af39921
SHA1 804cae2e8053f7f8968599751f15f2439ebd523d
SHA256 c3394a2bb8b8e92325a03018b932a6e350684c77eba9b5825a458e6fab41012d
SHA512 9d0995700fdfb989c68c80e0306beff820d534984a9ab1976093acadab86029cbd16061d1d50fa58831cec0942d09b243d7b936f651d0506b3d85a87af312695

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\7f2c0acb-61f6-4204-a7b7-849a36aaf478

MD5 52726bb5f085d15f16ff097ab4f846e2
SHA1 1c68ad54f17c134b32ad65a3327e463259108b5b
SHA256 aa74775b0f6061be2cba1ea270579cfdae7aff40ca93a1d6d1f27cf84f0aaa49
SHA512 487fdf2e1399473c00d485ac30d7e9d69740495a6e53d0cc4c3561062afd3802c3b44cd6c4b38f637787ca8147cf6e7e226d4804b9a41d128468bfd8233ae3f2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 bb4549cf4ca818416e8c31d102a4c7fe
SHA1 af9666dc9838100bd8375be1566a7c1288ceaa1e
SHA256 04afb380a4ad28362d8677eb25436810e15840ed7c37c264e2e408db8f0a6890
SHA512 dae2d9b3fc14e7b24c770c510d3eda415a336b36334fa076e349cbb51a544d27b5460cac547ed36b4600d460233afb395eeebb92e29c86d63746c51ef08e116f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 7268312835d3f2ffef9e8b0138719ebe
SHA1 3f53f84b8f23f94b92128ee435a2381dc4f33c43
SHA256 4b02d8b8f0f01328f8ed133ce2d6c315458d8fdc66e24d576af173e1a4605972
SHA512 1f68ffa2f0b43f585a403b78e3052f70c696a710006becb420f9d0436a9f350d174b778048f668e203c012f8b74f2a6ee2dde30d593b0746fbd2323f119df37d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 5c4a19e847a211aa9e38298262343663
SHA1 89df6adf740e4ed7be606bbec9f9df3963c8581b
SHA256 7eeaf13b21fd0271cd802c313fa6d2460959abc1a96f61cd815ed097d510d8e5
SHA512 536f8e69f54a1be33f982bf03370e5a95063f50929ea1dbad0992ed89bc0162b049c93fc6a9dd5d6dfc8824e0cdc053f0ecaec3e8124d3db7bd3170864964d49

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json

MD5 772135cf6cf010ba0fe257e193b533be
SHA1 c0e17f2c01cfb4977d91d0b6b08f733083ca829c
SHA256 3d0acea60299ba03c7c8ad4117176702e60958eae2948fe9d534417b766589bf
SHA512 3c8a2eef0a3d743d0f4a2daabd304f420e1a2411f091198cee14234e271a27298889f0d8367f84ca44f8042b269a483d9e66a07a29f476e1787b6c25f7d07d0b

memory/3500-400-0x0000000000780000-0x0000000000C3F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

MD5 e29157a56eaee0a48edc3f2699c954b2
SHA1 1513602296a8f289b7a9354b83fec5733ab29c0a
SHA256 882c93eeb7d65a0035503f12fd3bef4e1c7679340c28020cff12435e3a5116ac
SHA512 e5efd36518f1e0a919c0d400cffda9c17cd417abacc82c5072dfc8f654cc0800dc52798dae77cc501f2337c8332f69b4cf6b023c9a8d3c053b527a5e14c7ef14

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

MD5 75a29a507501121b1afdbf4d709f26a6
SHA1 cd336ef2bc38be9b827afb5fd08b7907655b008e
SHA256 31e2937e0323eb863aa1bb4211e58abf5f9e626fee383cb690114696ef8e6b27
SHA512 a30d3d15dc988714a6f2f0dafc55d8dca88359fc809635f22b4e6cd42b5e9d636c249cae491b4830bb3c2c391c18401601cdf07d1632b42117df3ddb09700fef

memory/3500-506-0x0000000000780000-0x0000000000C3F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4

MD5 f946af6815a8dede179e81213feca186
SHA1 5a6d7cf16494c095be74c5541a18a63fc3c2603f
SHA256 b5f4c0a59285806235fb16d4dfedcf0e6078ca0011ddf33f187f5b8275f4b646
SHA512 28664b17c2d155a040845d8f280445065461e7bb396ca8bc4689d695d2901febda2dd738c51240d3cfb0896a2f9d4810978d8535783c7c2427a3176b63cdfa7c

memory/3500-517-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/2700-519-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/2700-520-0x0000000000780000-0x0000000000C3F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 be13aee8c6858f65c8e9f8cf851f808b
SHA1 be35c48302406670fc4180b0ebd512f2079ab871
SHA256 14a1fe0195c61b3097d69024814432d528f6e8b19a32b558bf9e1e13eed68178
SHA512 a4ff04ab8aee8f3a38901f75f4f075de5309b5724ada36cef71064aec89a363b8933d501df9a9cb21eb45cafbb42dc553ede09f3859acb72ce6985b25e257349

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

MD5 34ad6caac7b0c5734d15270a857a2b5e
SHA1 ccfc000c716953f68d3ce8878ec2ac665be3e74a
SHA256 35156ef3a49a22ca7c347f48646bc2ba8960caa968a12e84d51b4d1a98f3d37f
SHA512 833739c0179ca80d8c89973f61654799657f98f167f48767d68947598d7d6214f98c7636f3a5ab4bf002a489ec3c10a838d9aace4cc76ff473b0faa3ba664d37

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

MD5 9a92fca74711b7e182d5c06440d33af0
SHA1 3c11353df695922eea23b496314a76caac7bd438
SHA256 dcbb5dfc6ccb1848b5effb05f883fdbdca51a72380741f58893d50043b01ece2
SHA512 8a1adbe701fcda1e5a392b9ef90d735aac7008ecfda236a6dd9fcc7c3d6dd413afea2f6b4711bdced2d6c87f8968709e041e85d5b9c8d6e394a7f3c214ad0a8b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 ae4ab54a2648cd933c203b73827ef977
SHA1 df81ea2c978a3219864ae98a13374d456bc9eb3a
SHA256 f08b75db449941b6c2f8e890829a5dfbceab563e2ca696b9bb1f0069f9f32746
SHA512 6e0616a1702f1f63d558ac10a7997a344c18e1da5823185e444f4b19a011f3cefd8e202e9dacb7dc4e2097dd1982b510eb44328aa57d013d2abeb20af0a2d907

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 c4ca13314191700053b1ec9ed5f361ed
SHA1 5f4ac5a7925e88edf4e2c7987a24eeb1728621ea
SHA256 fcece7509178478463690f920230639c85649ecae83021195df81895df800ed7
SHA512 860245622e44d6aed2bbd4d50972d8a70d005324550c289961d31bbea702961c45806aa8be5631b3605224a2b7b048a3eabd4b0fb81d51f6c29991ab28d1121b

memory/3500-622-0x0000000000780000-0x0000000000C3F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

MD5 ea67fd2348ef285a63cbd96180cf134c
SHA1 328865971517719d96a2b2287bcb3ecb22fb5409
SHA256 ca15b3df1ee37d906608860e09aa6c157ec8cd1bb970c5ceaa268668c3471195
SHA512 c3c3c8ce3777177cb3881a6f1d39cf1bb2aa5d6dae70892df4ffe422e96aaef96c9504e6a7fc2c36f39f63ab93bd4b00711992fb4465705f7683ae8d474aa22a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

MD5 fd5cf9067d6a3e2cf50c94c03cf46bb5
SHA1 910bf754fe5828823c899cc15fe83f3f073326a1
SHA256 d456309cf2aed318441c17164dcf53a9da6fcd949369bedd9db6a0b358cd6c30
SHA512 02584ed730d505f5061d07a99065f9fd2a42de3fa77f11c35f6857573757f2c33adb5da7145c51e30970402cf4c0c7ed9d36a0de9a8855287d28a4025754dd3a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 90cbd26765e981e80a25a184813c85cd
SHA1 bad4aae511417b15c8de6913283fa9a08e5672cd
SHA256 ed773fc0fff3499a99df3a5dfc06caa8e60efd3a72a26e0f502e74367902215a
SHA512 906dcb1a0e9b73ee0e2876e58402ed0cdcd2a7b1056fb62c55870c8fe6dca17f33a549c0a55fcb8c97379059990823aecf710de0e0158986b9609aef9cde0a7a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 2b9aec41d37332998443b72ad70b3f98
SHA1 41b81239e7b57320bbadfcb77a9ea3eb412f6c65
SHA256 1da2cc2a8ca25f26d1192f92f42bd4ab7029b4a3278007a064151567020404ef
SHA512 ad53ac0492eb7bde2058d74b4a8b56bf8364b14d7e9aa867b775426d795fdeda02b73bf83ea97bf38cccb0e32e0fb82f77355eaaddfacbe49fbad1228ae9525b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244

MD5 926e4fcaa860d559206cc201f9842e7c
SHA1 3c1ac691c0788cdfadee70351952725332dda53b
SHA256 3de8d761aa062fea50de53a713f3e175ca20ca5a378f31677ea32252828f21e4
SHA512 d065a7ef09001ea9a6698325a424b486e1ac0a6cf9019292da694f0cee1e43960eb44a07e58e6c0330b15e58106f21ce9e10a3a570d4f851fc3051585dd9a820

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4

MD5 1ed35173bd9e6ddc55d36f6f78da99a3
SHA1 3372e3ca8ddf287127d37926511948d89d2b17d6
SHA256 75eedcc840a64744a67a70373c4f43f1a18dd9eb59935fbe1c6ace2fd4e76d07
SHA512 6a78fdd24fa883ff1638dd128b99b4b895619d3814bc133b84a4fcc44458448ee5777a2fe91e80a3dfa492e7e664840c6f81c2107529fbb6f6a1761410df9fd7

C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3500-1226-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/3500-2029-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/3500-2702-0x0000000000780000-0x0000000000C3F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

MD5 36e5ee071a6f2f03c5d3889de80b0f0d
SHA1 cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA256 6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA512 99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

memory/3500-2739-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/3500-2742-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/5336-2744-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/3500-2745-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/3500-2746-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/3500-2747-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/3500-2754-0x0000000000780000-0x0000000000C3F000-memory.dmp

memory/3500-2759-0x0000000000780000-0x0000000000C3F000-memory.dmp