Malware Analysis Report

2024-10-19 09:08

Sample ID 240911-txjxsazhjl
Target ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801
SHA256 ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801
Tags
amadey stealc c7817d rave discovery evasion execution persistence stealer trojan credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801

Threat Level: Known bad

The file ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801 was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave discovery evasion execution persistence stealer trojan credential_access

Amadey

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Identifies Wine through registry keys

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Browser Information Discovery

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates system info in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 16:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 16:26

Reported

2024-09-11 16:28

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\114eb35934.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\114eb35934.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3628 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3628 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 448 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe
PID 448 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe
PID 448 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe
PID 448 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe
PID 448 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe
PID 448 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe
PID 448 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 1684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 1684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 1684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 3700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 3700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 3700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 4152 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4532 wrote to memory of 4152 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4152 wrote to memory of 4980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4152 wrote to memory of 4980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4152 wrote to memory of 4980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4152 wrote to memory of 4980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4152 wrote to memory of 4980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4152 wrote to memory of 4980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4152 wrote to memory of 4980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4152 wrote to memory of 4980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4152 wrote to memory of 4980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4152 wrote to memory of 4980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4152 wrote to memory of 4980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4532 wrote to memory of 1348 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4532 wrote to memory of 1348 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1348 wrote to memory of 3636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1348 wrote to memory of 3636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1348 wrote to memory of 3636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1348 wrote to memory of 3636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1348 wrote to memory of 3636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1348 wrote to memory of 3636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1348 wrote to memory of 3636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1348 wrote to memory of 3636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1348 wrote to memory of 3636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1348 wrote to memory of 3636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1348 wrote to memory of 3636 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4980 wrote to memory of 4792 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe

"C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe

"C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f030041-1cbf-4a89-8c6e-d285aaf8a5e5} 4980 "\\.\pipe\gecko-crash-server-pipe.4980" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb70f9be-bf07-4b4f-a4bc-59e93eabdf68} 4980 "\\.\pipe\gecko-crash-server-pipe.4980" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc8b1946f8,0x7ffc8b194708,0x7ffc8b194718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc8b1946f8,0x7ffc8b194708,0x7ffc8b194718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3176 -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 2872 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fe13f1a-459a-44a7-8b08-fa8f1612a2ac} 4980 "\\.\pipe\gecko-crash-server-pipe.4980" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3108 -childID 2 -isForBrowser -prefsHandle 3572 -prefMapHandle 3568 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1bc92c4-323a-4f39-94dd-96b9dfd298e4} 4980 "\\.\pipe\gecko-crash-server-pipe.4980" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4240 -childID 3 -isForBrowser -prefsHandle 4104 -prefMapHandle 3692 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6200554b-9d33-4327-b2e9-56fa27596384} 4980 "\\.\pipe\gecko-crash-server-pipe.4980" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4956 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4904 -prefMapHandle 5004 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4e41c32-3751-4c2b-ba96-c45f94bb8898} 4980 "\\.\pipe\gecko-crash-server-pipe.4980" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14715744104998962272,3232219489734209996,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14715744104998962272,3232219489734209996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 4 -isForBrowser -prefsHandle 4512 -prefMapHandle 3696 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ee9b834-c728-42eb-944e-dbe70ca15709} 4980 "\\.\pipe\gecko-crash-server-pipe.4980" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5940 -childID 5 -isForBrowser -prefsHandle 6016 -prefMapHandle 6012 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b610f19-1ad9-4309-8437-50aa2d1c7940} 4980 "\\.\pipe\gecko-crash-server-pipe.4980" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6108 -childID 6 -isForBrowser -prefsHandle 6116 -prefMapHandle 6120 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c91302e9-566a-4362-8755-d1bba90632e5} 4980 "\\.\pipe\gecko-crash-server-pipe.4980" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18114063376230738770,2860260644491805883,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5364 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 172.217.169.14:443 www.youtube.com tcp
GB 172.217.169.14:443 www.youtube.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
GB 172.217.169.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
N/A 127.0.0.1:51136 tcp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 213.24.239.44.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
N/A 127.0.0.1:51144 tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
GB 142.250.187.238:443 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 88.221.134.155:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
GB 142.250.179.238:443 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp

Files

memory/3628-0-0x0000000000320000-0x00000000007ED000-memory.dmp

memory/3628-1-0x0000000077154000-0x0000000077156000-memory.dmp

memory/3628-2-0x0000000000321000-0x000000000034F000-memory.dmp

memory/3628-3-0x0000000000320000-0x00000000007ED000-memory.dmp

memory/3628-4-0x0000000000320000-0x00000000007ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 eeb139916aa5a94fb6de01d67d329939
SHA1 7881a77833d76054afee411c19b37b5ee08ca9b1
SHA256 ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801
SHA512 f9645cadcc7893d3a4d5d5db17654653c3336c58f98106a28ee04d5f3570582d9c6ec8bc8e76c092f4795f7779b8571eb561d5651e7ee667205727938a0f2bef

memory/3628-15-0x0000000000320000-0x00000000007ED000-memory.dmp

memory/448-17-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/448-18-0x0000000000EE1000-0x0000000000F0F000-memory.dmp

memory/448-19-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/448-20-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/448-21-0x0000000000EE0000-0x00000000013AD000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe

MD5 73bbd225dee50a7cd44e58a8fc26e148
SHA1 6ac24985dc5d2e03d1c603c05b9b739b3e5bc7eb
SHA256 dc21dbe83a9a684aa2e77849977a9ab60e8c5b52af4e2a4f4f0aaa148dfda587
SHA512 5ab645b0da9e90cac4b66de3cf89325fde48de512bbedf7555c1da8da6dfdc193a7790d5b14c7215459acffe02cb393ff9f9b42dfccf0cdc78db413571f442f6

memory/448-30-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/448-38-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/1152-39-0x0000000000EF0000-0x000000000157F000-memory.dmp

memory/448-40-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/1152-42-0x0000000000EF0000-0x000000000157F000-memory.dmp

memory/1152-41-0x0000000000EF1000-0x0000000000F05000-memory.dmp

memory/4892-59-0x0000000000B20000-0x00000000011AF000-memory.dmp

memory/448-57-0x0000000000EE0000-0x00000000013AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/4532-67-0x0000000002A10000-0x0000000002A46000-memory.dmp

memory/4532-68-0x0000000005460000-0x0000000005A88000-memory.dmp

memory/4532-69-0x0000000005AA0000-0x0000000005AC2000-memory.dmp

memory/4532-71-0x0000000005CB0000-0x0000000005D16000-memory.dmp

memory/4532-70-0x0000000005C40000-0x0000000005CA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nsey3xaq.oxy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4532-81-0x0000000005D20000-0x0000000006074000-memory.dmp

memory/4532-82-0x0000000006310000-0x000000000632E000-memory.dmp

memory/4532-83-0x0000000006330000-0x000000000637C000-memory.dmp

memory/1152-84-0x0000000000EF0000-0x000000000157F000-memory.dmp

memory/4532-86-0x0000000007320000-0x00000000073B6000-memory.dmp

memory/4532-87-0x0000000006850000-0x000000000686A000-memory.dmp

memory/4532-88-0x0000000007280000-0x00000000072A2000-memory.dmp

memory/4532-89-0x0000000007BC0000-0x0000000008164000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2dc1a9f2f3f8c3cfe51bb29b078166c5
SHA1 eaf3c3dad3c8dc6f18dc3e055b415da78b704402
SHA256 dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa
SHA512 682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 57c674b4a364b31aad43865359d23121
SHA1 435875cbbc7817e53943131828ce239b603820c8
SHA256 8d2012a67c31552f1986e2fbb2042c13beb1735b00e9c4dd692294ed786e51b9
SHA512 fdc8f5f31ef8135cc70a4df154668c5166afb7225d8c90f01f98f1c03d6e9a1ba38a56fc0c8f265c16b9fc2c7bf66e3319ca07b8a55cd0b2c11c458908b8156a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\11871588-0c1f-4973-aea5-fedc530525e1

MD5 c246a7008e8e79f6b3ea2f3f2fe430b7
SHA1 e76f1c2d4d1791f665db21abd97704c322dcaf5b
SHA256 7cae706a1e3ff24b2db604c7e6e827e55efb15a3b2d5478c7571350a4112dc37
SHA512 c6454a469839af5997fa3b7d4313ebc70c233f4498bbd5122ee4a24fb887c73fe9f1a35b52a96d8188fed5da7aed9ca991bfcefa7b1acc7839d66d3e2529e82e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\ef38f441-573e-424d-8ba6-2df9242b9edf

MD5 17484a77fb447c0eb4f0640f4ee1bf87
SHA1 889ce6e24188997bca13cc4c490664a79e6d52e7
SHA256 f7df970b122fc55fb3beb5f208b80029435fb9683fe61f6c15deaba0c131e19b
SHA512 39eda8b0978cd01969fd906e7012345f6dca8af4e0366c4243c67b2007d780e0e61b792438a6d3b74a1dbc4c932885408eb91eebcfe6f0a852709487a9306709

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 6588faba16ebfdea6afca166747691a8
SHA1 72c69494199bf788c7b6b25e34668071b369ca2c
SHA256 4e9d7bc2755388f6dfb0634048621e25d335baf37c7a2e00e45480c36d6831c0
SHA512 794af58ff8370aaf1c1660c67b7cc082b151f3d051635bb2235340e3d24e34329d700ea25d8f570cce7b8fa89465f384d97bc951b2199245080ea88398c1304a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\1dfc0d1d-36dd-4b01-b079-66542b3356a1

MD5 f2eec096c19745da4ab2f0e6a6b4a817
SHA1 77161008a4715c59d024870b731fe5542f7346d5
SHA256 5d26ff3f22ed78c31da020c88e8f97583fb86d508a3f7451626fb7c321efb07e
SHA512 8562f6cd0aea5c82c745254eab2c3cd135165787400a39e8fc119ade479ca4bde4a0d3b9c0b545ffabcb8b475648d5df2a332d67e95aea9b864358d23aba3599

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e4f80e7950cbd3bb11257d2000cb885e
SHA1 10ac643904d539042d8f7aa4a312b13ec2106035
SHA256 1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124
SHA512 2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

\??\pipe\LOCAL\crashpad_4700_DFDLVXESYEYPKPVN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 97e39a3bde05fdd6bd0194817342e49e
SHA1 75f63d9005f5ca6dd2ccbaed4003284b073b9497
SHA256 e8a7fb3c47a05f71f63d027f626df3bb597c7dc1bf96ec246ee5847b82b1f1d4
SHA512 4e634a745322274a29ed14f7176de1aef6d913b37c9f1ebf71e673c219b9572717d196a3c75bd485d458d8005c4e8d74eb61afe4d4efeed4947fc7073d546055

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

MD5 9c37a1af40e62b3ba0165dc43e7b3350
SHA1 b3a6c400e95fd5cb20f8358fb45d5a56cb090d44
SHA256 2aa1458c94c9222f662e94f2e28b31e7c6e739cafa2a0bfc9cd04bd73000a93f
SHA512 81cf9149cfbcaecc95c40a65a23c8b17014a984e6f2e51b1207a387c2ce0d16fad5be56cfdf334b9dfeea75aa0207c2c5dbd9dd1de77f8cde415f5b02133d91e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 028547cbbbd4ce73e7e28f3822e3798d
SHA1 687ca3aab259226bd17a4ff10f32f52bbdf6f2ff
SHA256 f6656fcde1e1eb747539b3203f025c0937b77ada047346c7d1f7c5dfdad3febb
SHA512 596fe26d1e58d2ddf7ce5eea414ae674ec082a91786ec18953744d555c6e66ef6338bd1d40d0814735d5bc5e4ca4d3edbae2d0f9fd07b5dbdd2fd417f08e72a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0220da29e5e173aa8dfacd92ac9c11e3
SHA1 6aa85d8038bc8e2707c5f5c0e10a393a795043e3
SHA256 e4b814b8364814d1f69f4c7d80c11179ea1383ba13c8afb517c6e46f9f9d0daa
SHA512 a89ce3ec4dc5cb24ec82b700008fd1d0c85ce2efd46b705c4eae03d106a664fa3d81d7f043aa1a17b3f0721d084863bd42a161ec9d45deee9dcec8a8a0a41e05

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 a3eedac08b4accdfb80acc4b4b883117
SHA1 60d929ff237ecc77ed3b8de018abcf4c98318671
SHA256 0bac366f49966649af6c460da01878c9dbec73a1f929d8f292b0d3272d78a30c
SHA512 79a5fd48a10b9f5042251ee78d895f8aa427c893442d80f13bdc71abb0d7c28f793bd07241df43c0dd4997a496731fc685ca14e1401877b644a90e59b4bf8de6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 6f91b461b4b9d0a6455cd21c494c25a4
SHA1 87f529c7cb9edb6280f4f33f324dc4de873dddab
SHA256 b1086910cd6b6fcfe2088972e34ae8de3460b3966e113b07c3d3fe5b1c90dca4
SHA512 96867779495f112997cc1312a5b3ce1e2b206d1042f6e8b8b60f833db04cdcbdde0704bc1e991c79d8f8bd16ea7fee9750283cd44d0a7aa91ec9b8275393cfb0

memory/4892-450-0x0000000000B20000-0x00000000011AF000-memory.dmp

memory/448-519-0x0000000000EE0000-0x00000000013AD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 606d9f1f6dfeaa3c2e7caedb92c50132
SHA1 cba570bd615b0e4903bd0d19d08a7f81ecdc31bc
SHA256 44c925c742e37a41a1b1d97a183121315395ba880441a713183fd44adaa2b9ba
SHA512 c2a2eb0fe2370aaa4168765be452822e8c1313981aff130c8c458086e57b681a76122872c142b2b13a10261f9442404dcd78fc2c3ea7a93d8e73b61ee5b93da3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 253e46d87c1bd43e27866e0a895b461e
SHA1 0966824c3df9437a84b0d2f24ae40f38106ad2e1
SHA256 2ae5961245f840ecbfb1f12c970a4abd3d1f28dac7936e5524eb9ae674182bd8
SHA512 997885224a88f15001e36bbf9c148c8b044a55f17a7819b0c7822a25f85e918fa99fdd0e243aea413c16a38b97bbfea05cb69de0e9020e00638b8ecf4e6ab41c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 36f1f825369f29339ab30386fa7a6cdd
SHA1 91bd939250e1bc30c5816ce1cabc3a5fd79973e4
SHA256 a69416be70734048fbd242346aba731651e44824e388337c482558e33019b0b9
SHA512 eeceffa4b2c30bacd7ce706f7a4d3d9f35cd9a70d47e16f1e080b25c13d12fba6460cab6a9d5eca39637841a0ce305b3bd5fdca1a1359c4cfc5c16af5cdcfb57

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7f109c41befdbe00c7b0228edc4bb4c6
SHA1 3a0abf61fd7c76ad399f6b901399e9699e840e93
SHA256 bfdd4a46e8adb7470e447d580c124c117bc293ddaea564345393994ab7285798
SHA512 c4c50fcc29e19094927160dee924921eeeff2bc545e2404885d4121b650f9a59e5d9dfa8ccad5a4696a383e823530f9c923abbf0704af12b9672fb4ba100362a

memory/448-631-0x0000000000EE0000-0x00000000013AD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4

MD5 3485c78562c781d7d98c1f6b43ff4683
SHA1 d82a35eb6cd5e6b5d00afa3087657df6f955fef2
SHA256 46f1a2057f7248a47118f5c6d225d5dde5924a7ae443bfd073c2872862594f3a
SHA512 1bb3e83104a235e05ed7eb78358d845308b389cfe48ca2c7ea829ed8676d424e462d7daf49a5c160e5d202835e2cf4b1ca6fb52e5719465f4bd110141bf501da

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 d347d917b511201b377626f11e8b74b0
SHA1 627f8fa782440d73a232fbff75f5471a36d69242
SHA256 8f269c33821d5933c9b7f007b71a07137366fd32b81f1cdadc8545d2ff9e131f
SHA512 50877a8d92e4828db59ee3546aaf24846b7a8e912a54a50ae79e6a26d84f822a9671e23b45f9449fe7bd962e27a9887faa25f6dcdba88f3a5120db8ab03d73b5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 39bce4a195eaefd6ec9afd907f9b8a3f
SHA1 79108f3e8197fd360690a05a9b507fb0aca6ab94
SHA256 698ce5864b88e425dbacb4fb91c669e2235a16abffd8af813b2b558f845b1916
SHA512 e75c5843ab191b82e4d56c93d3c6d8f96ea14c3f9f554efd496d4b49c79e4591608919bc24b594d3889f166efe82ef41c007a3e10b04c110e9fc81876a9d20f4

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 10050648372a7073e43a06bbccbaed98
SHA1 c0e080a3fa9e5dbdb3bb7e4fca8dabe524496d85
SHA256 07a4ec0dab31350d44eab13e7d5ebfd8341785623984fdd1a67b947436bb7ee3
SHA512 416ff6de59155a8907d5b95a98ee3c3f5e2ba1d7a040d5ec84432e2a137677be108f921515a3848ce8cbebe5467b21cf014f835af89141ab4bd8970f32025e39

memory/448-706-0x0000000000EE0000-0x00000000013AD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 06644960000300b20e132c4a20abbd36
SHA1 e28f5b51c4eb5d2c22911c2ff7a37065573a159f
SHA256 2e7ce215da98f9c62bc5dea4da9dcf0d39335f8dea979cdc20ca2a5ae501e705
SHA512 084e4e76f579f4afbb33d8e4590dc90013346d064292e515bb5101aa3b8982e28775e64c1da23912aec1080fe40ac728f9164c702809619a08d201df284b7480

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f03e3976a60908fac8d71e3a19266166
SHA1 4407f83170bf8c8b2a7e408fdb9de73505766007
SHA256 eee171beaaf5438c4831c03a4e66e2f6217874e6543171193ccacf83c40df271
SHA512 7551c1d7754ce8bfc1221b9fc40c7e9afe5a79c241518d8ee08ceb63c099eb367269f592293e3ba7034b40ff93526f4016657dabbf789a51ff79044c5d8fb72a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4

MD5 5b27cca4d21d930f9d0d59f66a0e93d2
SHA1 ecbc9e43e97ec887cec4c89ad6a81b3d018559f4
SHA256 f717727667ab8ea30235b9537c8f0d010017c600e2566998c48de0ac919beca9
SHA512 b75cc11480bdb918d4816c4bd76ebcf9bf9e8201a1cf190f591b094ebdc062ceab9cc7d772567e9067e5ad2d95a9e59f2e455a7d81e614631ff21e38156436f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 5e27460e505cefcf1652edc22e1e5bfc
SHA1 75d3b853fe8c4b5b351284a9e3b495aee0c6bd32
SHA256 0ee8eb12c37da93c0610d8f7e3d9eb79f8da5a7011058ce2fd7310bc189de1b3
SHA512 b158d61afc2fd51adde52533cb904eb3ec92d8ad021a22a2e87518988a92e1f77631620e6d9183546056c0cbf74df5e2f621159b44e404e20a2debb2d30d6b19

memory/7164-787-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/7164-794-0x0000000000EE0000-0x00000000013AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

memory/448-809-0x0000000000EE0000-0x00000000013AD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 4877dc93ed31d16dc55365f0422875e9
SHA1 e628796d69afbe37c68a15639c0922f9455f9ce5
SHA256 d52ca1b5780c65628fbd6d30a7705dcbb9a2b1b8cc0dd9e3684c59421e18cca6
SHA512 883acac347e926f82a72715f9a287d76a7893d3f35408040c52518a43eda8cb51c0eb64f15b5bd7cdd67c1fb67a6e6596d3d98f86a5d8a4e9663a599621c4230

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 7aa4e0e8e8f83f6b71e68c5651896877
SHA1 7984bee17e3d682e3a0e3f6fc02d1f2ef0fdc0af
SHA256 e96eed82440f88636464dd3bcb4751a7eb3b5c29c2e00c09b283dc4a2f92b53c
SHA512 f9be2fe9e7148bdbbca204559e0f308011e0c4dec6cb9e2abf25005ffc209d4e7e153a8e2274021fb627cfa0142a8c48cc1601b13bd66ac5736e6619f4faa97a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 ba3333cfb1d34e81aff8fe8bb5350c19
SHA1 6eb8de48a554512ca8efe8d7b88b5ebc4b272da4
SHA256 fd61fe15fae40484a36ac2d24becdc5ab752a40faf504beedf094f754f234980
SHA512 4d81377f8e98eace2f46a645b5dfc57b5c0bf774e851cbf26cba23d5a1bbd0c32a514213388f1661fbe47ecf756df15828b88114208b99cdf37cfa4c65a83f51

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 b3bd4a9e0f8d735ff2ab34221fff2af5
SHA1 a342a2c74c7f129947fbaebd16b266e911ecaf32
SHA256 9fa184600f884c9a872b9063e6f2d1462d83d2ac396b2e227093ce0147b032b5
SHA512 d94f8b6c16d702a65e96ca8f192f3f6fa7a7deafdade0de4bd2da369c7a6b544767d1ca93cbb71ce79273a6f228cb573eb2d4329c81f2ff0f33fe1b13e321384

memory/448-1039-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/448-1133-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/448-1507-0x0000000000EE0000-0x00000000013AD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 3bf6cb6bc8a1ea15c6732e8599316ae5
SHA1 a94e0106dddc1267cb2df4ec359f98bcba14820d
SHA256 37c0912c1807fd5516f8509e2ff2e1ac1814e70cfffe28edc6f4a24d7f471d2e
SHA512 bbbe83c6cee5cc505d366171646c09271ca56a7cea3e8ac57b33fc92c5778b3e9c73f7754181f7f20cf207e970bfd537ff7d2f04481fb65293cad3784251b787

memory/448-1839-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/448-2316-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/3496-2641-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/3496-2673-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/448-2766-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/448-2979-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/448-2982-0x0000000000EE0000-0x00000000013AD000-memory.dmp

memory/448-2991-0x0000000000EE0000-0x00000000013AD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 16:26

Reported

2024-09-11 16:28

Platform

win11-20240802-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\114eb35934.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\114eb35934.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4648 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 4648 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 440 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe
PID 440 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe
PID 440 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe
PID 440 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe
PID 440 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe
PID 440 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe
PID 440 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 440 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 440 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 700 wrote to memory of 952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 3828 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 3828 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 3828 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 2732 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 700 wrote to memory of 2732 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 700 wrote to memory of 3640 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 700 wrote to memory of 3640 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2732 wrote to memory of 4288 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2732 wrote to memory of 4288 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2732 wrote to memory of 4288 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2732 wrote to memory of 4288 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2732 wrote to memory of 4288 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2732 wrote to memory of 4288 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2732 wrote to memory of 4288 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2732 wrote to memory of 4288 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2732 wrote to memory of 4288 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2732 wrote to memory of 4288 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2732 wrote to memory of 4288 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4288 wrote to memory of 3368 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe

"C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe

"C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68642c2d-721d-4190-8af3-693a44697a7b} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed0da6d2-6294-4826-99b1-b70fec00a89d} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3240 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a0539ee-5919-4d6b-9270-81fcb1d27e3b} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3356 -childID 2 -isForBrowser -prefsHandle 3448 -prefMapHandle 3440 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3516cdc4-080a-4d81-9b9d-f495545b57a0} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4356 -childID 3 -isForBrowser -prefsHandle 2928 -prefMapHandle 4160 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f70571e9-c1c4-4620-960e-38ea2eb9ae32} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5168 -prefMapHandle 5152 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {968843e3-acbe-4f4c-b446-c165e71d043f} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 4 -isForBrowser -prefsHandle 5748 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aecad104-9dcc-4083-8525-0ff651e3a68c} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 6008 -prefMapHandle 6004 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c8a0738-d19f-433b-aa74-87868066c515} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6136 -childID 6 -isForBrowser -prefsHandle 5920 -prefMapHandle 5916 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {594068db-eede-4633-a425-306d7b3ce170} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 172.217.16.238:443 youtube-ui.l.google.com tcp
GB 172.217.16.238:443 youtube-ui.l.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 172.217.16.238:443 youtube-ui.l.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
N/A 127.0.0.1:49845 tcp
GB 172.217.16.238:443 youtube-ui.l.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
GB 142.250.179.238:443 consent.youtube.com tcp
GB 142.250.179.238:443 consent.youtube.com udp
RU 185.215.113.103:80 185.215.113.103 tcp
N/A 127.0.0.1:49852 tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 142.250.187.238:443 redirector.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com udp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
GB 142.250.179.238:443 consent.youtube.com udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
GB 142.250.187.238:443 redirector.gvt1.com tcp
GB 142.250.179.238:443 consent.youtube.com udp

Files

memory/4648-0-0x0000000000AB0000-0x0000000000F7D000-memory.dmp

memory/4648-1-0x0000000077DD6000-0x0000000077DD8000-memory.dmp

memory/4648-2-0x0000000000AB1000-0x0000000000ADF000-memory.dmp

memory/4648-3-0x0000000000AB0000-0x0000000000F7D000-memory.dmp

memory/4648-5-0x0000000000AB0000-0x0000000000F7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 eeb139916aa5a94fb6de01d67d329939
SHA1 7881a77833d76054afee411c19b37b5ee08ca9b1
SHA256 ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801
SHA512 f9645cadcc7893d3a4d5d5db17654653c3336c58f98106a28ee04d5f3570582d9c6ec8bc8e76c092f4795f7779b8571eb561d5651e7ee667205727938a0f2bef

memory/4648-17-0x0000000000AB0000-0x0000000000F7D000-memory.dmp

memory/440-18-0x00000000005B0000-0x0000000000A7D000-memory.dmp

memory/440-19-0x00000000005B1000-0x00000000005DF000-memory.dmp

memory/440-20-0x00000000005B0000-0x0000000000A7D000-memory.dmp

memory/440-21-0x00000000005B0000-0x0000000000A7D000-memory.dmp

memory/440-22-0x00000000005B0000-0x0000000000A7D000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe

MD5 73bbd225dee50a7cd44e58a8fc26e148
SHA1 6ac24985dc5d2e03d1c603c05b9b739b3e5bc7eb
SHA256 dc21dbe83a9a684aa2e77849977a9ab60e8c5b52af4e2a4f4f0aaa148dfda587
SHA512 5ab645b0da9e90cac4b66de3cf89325fde48de512bbedf7555c1da8da6dfdc193a7790d5b14c7215459acffe02cb393ff9f9b42dfccf0cdc78db413571f442f6

memory/392-38-0x0000000000C80000-0x000000000130F000-memory.dmp

memory/440-47-0x00000000005B0000-0x0000000000A7D000-memory.dmp

memory/392-55-0x0000000000C81000-0x0000000000C95000-memory.dmp

memory/440-57-0x00000000005B0000-0x0000000000A7D000-memory.dmp

memory/4452-58-0x0000000000540000-0x0000000000BCF000-memory.dmp

memory/392-54-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

memory/440-59-0x00000000005B0000-0x0000000000A7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/700-67-0x0000000003060000-0x0000000003096000-memory.dmp

memory/700-68-0x0000000005BA0000-0x00000000061CA000-memory.dmp

memory/700-69-0x0000000005990000-0x00000000059B2000-memory.dmp

memory/700-71-0x00000000062D0000-0x0000000006336000-memory.dmp

memory/700-70-0x0000000005B30000-0x0000000005B96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qprvgngj.j1t.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/700-80-0x0000000006470000-0x00000000067C7000-memory.dmp

memory/700-81-0x0000000006830000-0x000000000684E000-memory.dmp

memory/700-82-0x0000000006D80000-0x0000000006DCC000-memory.dmp

memory/700-84-0x0000000007AA0000-0x0000000007B36000-memory.dmp

memory/700-85-0x0000000006D60000-0x0000000006D7A000-memory.dmp

memory/700-86-0x0000000006E10000-0x0000000006E32000-memory.dmp

memory/700-87-0x0000000008110000-0x00000000086B6000-memory.dmp

memory/392-89-0x0000000000C80000-0x000000000130F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 67f5aebb53d7bfe185423128a8d577d9
SHA1 ce497e5eb0ac9be84796ec6238308dfd2c99be64
SHA256 5fac4b4928c6c80ed90562fe47ca7ecd0e1f47e444ee9a3f95287dbee845ec7b
SHA512 51c1921b0460de4d8e006df73f376996312100d99595f12020bd73501cf31197860900f7692efba85004e345284a5465cec679771a57250f7433a4ec4f4fbc49

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\f827db34-34ab-4790-82ab-d4c87f205176

MD5 81036ba12c8f91f1ff9dbf860cdf7a48
SHA1 9dbb3b8e467c87a89e553a612fe4569b75094ac2
SHA256 6fe2e07ede7d59e81327e1639d9cc90d547ae82f913a8ea824bd14178972c398
SHA512 35d7717a0a27e98c0c155163ad80a3fa43b5937c25e31e0febb3c840f80a3985539ae3bcc1443f8f844b603ef9a867fa24f8190e1c9647eca082396db2174eb9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 48ee3b825a54112b50658c593c292902
SHA1 9c7251578f6fca7394ef18b20358ada6df5eb875
SHA256 4d89401f73b833cb69a6259999107672d7444c922ca23c50a03832b0d8bfe756
SHA512 ffccb44b7b7ddfe0b5689b834329b5032af866944c1c66dd9525cb60035fbb80bc87c62cb036ecee143a5926696d39c2edcf7ab225a2d22a023052189225377b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\a133b90a-04a4-4047-ab65-2dd08e13c340

MD5 cc91789dd368496f564abfc90301e61d
SHA1 bb3f47056cfc29494dbd1dbe0ec8ffafbd4cb020
SHA256 4c3ad17fe5eb4df3868dc819a813c190cf013f23cea873b5d17750ed62c06170
SHA512 2227b3df3985363785bb2e3153b5bcb6c712dc65331dd858be71fb45c399563c974d87cbf43fd773f9b23f69c261d117b05ab001268ba9e78218c90cc3332b4e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\693db4d3-e596-46ef-a912-d407224948a9

MD5 2e6c117264b4cc0674f53afcb80a7129
SHA1 84f8efa19c8da0eeeed39044dfdfbe7e4345ec71
SHA256 8987804e739aec976d20696373b705680837b001f7c9f127bc0a11dc9c30bf2a
SHA512 7130afeeab889cb16e68eeb88d01394924ca5fc2afa85dca4b48b455a3bc3820cf9828d4ffd8a53da750468e64aeec2f446211a77a8f7d70888899e25002a71a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 e34713b9bcc5bdc0ce9d2a77d02432c0
SHA1 1386a947ceb8178907d268f960e2dd74a840b2a8
SHA256 5998db3ea3cad75803c4e1da142d07b91af702e413b47260acd5b904f1ab6362
SHA512 a8bc12f5db051e7b0066a0bef1bb85ad70c4783fd4dc6cca84e52f8ca40e01c9220fdc5d783e4eaf2e935a5e6a817604765f8247199556abef38c5527a7c4f02

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 890972006f4936e421981ac18f8d5c00
SHA1 7efadd3123bf76bc0b6fe0c3b5d41e31fa8f5d4a
SHA256 a3de69a2a24f25439f3cb91f893cbc01524e9bc0662aeebfe7a309166eb30207
SHA512 fb83f81c1877fc13b261d1a55d6c24ddc891a66141439471cc0186026d554f292b0fd0ca5978fbc24d8385f2734c1c3107ebf72f929cec81800e21e67277fcec

memory/4452-399-0x0000000000540000-0x0000000000BCF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 f0da5284357e8b2665e3e214c940f3dd
SHA1 f75045c987c5b6169d95b2f6c033b4b9ec7cfa54
SHA256 24c0b692a976a75b540e0de978a04bacd85bbbe9cfdee85daeb7f1696bba3973
SHA512 b5a07236e13f7c6cf18b0d458263f81fe1e6cecbd83407e62d1f6a059b2aa0b3523863ad66437867477452016d13cadb8a7254783591d62019240970a1468c6e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

MD5 38c35afe1c736cad27a77e99c6653887
SHA1 ff57120c1bc8a39e8bad431869963c1b26df3e8d
SHA256 34457be02b8f57968edf18fa07c4210c3df0109234ea1598fadfb2dbbfac2051
SHA512 063a0b48cf5c29a8efad07cd33eea54e5f7863d40e185f4651d14240d978723f49079d7e329bb74b367c89abed67dfa3aba0c7a321f64c6dc89a20d0ebcd17ab

memory/440-484-0x00000000005B0000-0x0000000000A7D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 2bf72fb9833be3bfbe7362d1cebfeafc
SHA1 bcc113b2e8fcc4a5435b9b37dd8bcd836884b29c
SHA256 181e92106900f93f8a7ae047742a98c2f068cb5c1f43b7fd76a4c416b63f8817
SHA512 9015ae12021d1567b5149a5acf172374bfa9f3b80dcd91c3be2ed9a50e04e5b479478209b00f83d608a613fd631ec0feb585161a5b67879e901500bf7373725e

memory/440-514-0x00000000005B0000-0x0000000000A7D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

MD5 0c583d822bab27fea3d6e07e9bdd66b2
SHA1 6ae77a10879ce768984acb47722eed3c022b2b1b
SHA256 2722b426d7731d00c3c60bef33e96eab97f565159b2a0f209e1caf1b7a151720
SHA512 63409b4cddffcc24601ced9d60a2c11d74b396edbe48541183645c21d5404ba29abca4fb9bc8023ed2afc99c124a18912d87e625c23da993cf6142a560172134

memory/440-521-0x00000000005B0000-0x0000000000A7D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 8d07a9fd560f980757d1720d7c276ef6
SHA1 7c3802367747bb1fc264cf34e68e1c2ee4a413ca
SHA256 ab4fce2785089abd9450716dd905c6b6f7b98619529bc1a4deabc151eb9ade1d
SHA512 1730316101529e870b78735e0acb5f03ee0612a8f2c0cfc2a4c848e0c9823ba6b3d552bea9baadb1f9211b31f1c10d817d87ab51dbef593250b38d1287a7684f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 314e8ec211c169ec0a45c353af2c1ba1
SHA1 7f506746731204a404938855b6bad40e90d308f1
SHA256 e3aca54d76e9e7e085b8295d50f8c79acc747d5362780b57e5d1ae353fdb771c
SHA512 41f7272ce540d5692703b5de307fa8fd444c55fbc80ba038b3c56688955ca2933a607971823132352946c176670fc0ec82f1f076422404e77067a2a97ac3b8b1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 504931ad0132b95b82d8c9f23aa338e3
SHA1 848ad9bc374eb9bd1e540ccb572db9f7bcc5c312
SHA256 8a318969f893cef04998f85faf694a2ec07013d072b87716d12521137eb00e2c
SHA512 60357d8614a0b2a8db41fa738b74d8a98a4e082b5ba2f678f0d5ea92d23720a0e8f55fade0530579496d62944ddfc85c23ece86cf926080f2b307fd96a047eeb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 b37b20b4c092f31aa47e727c56fb4f63
SHA1 819fa217923432b5386835e169a1eab97f8ea33f
SHA256 67816e76900c928b13b9129888337b956b9da9140507ed3a38a2d9951fa1013b
SHA512 7ce3cba956415443a20c1e7c14f9b4c2cabc001435c6fccdf00afa15f5ae038a41e68c34c0f5ff734203e5e8f00b23938e7f469c7f731fe5d172e2a93f86edaa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

MD5 7c017058d44a9187e2f1f0561176688c
SHA1 a26ee51f2ccce68dee6ef36de4a4905c2c19ad5c
SHA256 91a082bbf5b1131f7d588db70801451fc5d40962d2e35e1647de8d7b57ef616f
SHA512 8f6b183580a2c57ddf2c4ad9e470b51a25c73752374bfe0f5f290ae828289d792c4c69c37da2067ce890719ad19d02ee9dd825315636dba0ab0a71afbc14f15f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

MD5 3d881538e8f844e4f2ecda1033ec6e10
SHA1 06885e6ea43377ded520036a740126e026bfd202
SHA256 36a13fb00be8baa13cb80c144e71c006a841e5a9634d1549acfa1d03c08e48a8
SHA512 5fa18446edff77f021880086f27efaeeb02fbdf661bf6ad477530ee862ac3830b4900e73fc54b3f0dfb268de3e358d5346ee58a241660d62cbd74d952d9d37d6

memory/3392-608-0x00000000005B0000-0x0000000000A7D000-memory.dmp

memory/3392-634-0x00000000005B0000-0x0000000000A7D000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 fd3b9e3bde621cd4db60a04febdebdc2
SHA1 ed2846d16994b9b45131c7a47b880540a9f1bb2f
SHA256 41240c489cd3c2c9328ed2684effa7eaef1fe76e63150a955d6480043b998219
SHA512 efa5b87a2f8a908a0912a50694aab5ef08d82a43948a816c523b0bbc2521583765a305ab7e5be04149d0ae82198937551c1db5131ca4aeb12fdf3e66b165b037

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 03dc2f7cd9779201c199d6a57cfacb46
SHA1 48845e029e3e75d637fc92d33405914dc629c9a5
SHA256 e43d6b915a0584eda25a6803269cf3cd47c71a7c3523d9110151011fdbd4e9e3
SHA512 a08e05af90a845b344b5de021934ea1be9fe446bf972e5b72fd697e0eb95eccd22d2b57e4af543d385b62b7a36579459e5c43f289ae60b5239d68c45808d99f5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 5c9c47793ab712567ff87c2b430290d8
SHA1 f8bdfb4a55cc70e691f23f9cda50e4a500f530a9
SHA256 7f47f70d02a82d8b1558e05e7b4190cf87537c5a3e29cbb1081cb7cc15f69a63
SHA512 6ebc80233ed41df430ee826e884c4ca495e3e847fd5955d7f112198cbe6f14e42e1ee16df0f753fdb89ce46e02473476b62734326f16e5f4d3fa48918e9855d4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 db2172b327ba3f806e5c92b6cf43cf46
SHA1 5fa70e337330716274654ce91af79b009d7c79cc
SHA256 f2dfb9e02ff1eb8919f050cf69988618fc559a89a65368a0bca00cfc60e6b13c
SHA512 e1dc06619af3a0d3dcd1b23a8f974a03d2910ec376d5d98dff445d65394d9302e14acd3b1c9b19718d0ef39ee9b3871f1c525ef3b644b0ddf855b12341a77bea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 48d86fc7acd8ce8f0a754292aed146b7
SHA1 5966f7f63b84b3781e5b4e7f4771805f6f88e668
SHA256 4d2c107652bca15c81a5e2357733b3a61b5e20e0cad0f8d51666915ae4a7d1f3
SHA512 beff98361ec137704318bbad8439f6abd2af771404a49f35ab6cbb4f001013163b03d8267ce93dc2e130cf93032f2f6910f0d9b652508cdd3de275f42a974c7b

memory/440-745-0x00000000005B0000-0x0000000000A7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

memory/440-960-0x00000000005B0000-0x0000000000A7D000-memory.dmp

memory/440-1055-0x00000000005B0000-0x0000000000A7D000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244

MD5 8265322172b2cbeb6e357b0f3388391a
SHA1 4fa9c9a543741d4837cb176459b1a354702013bb
SHA256 5754eb88b7eac0e20aa9a612dea908a20594d5157e5c79fbf6ed8290c438df17
SHA512 d6189cb76bdef3412238483d8c7096cf0ba5607b163a2578b7e6b2b82c9bd46b11e5cb43350e83edad850028590dca86e214b027fa5913fa0cbbb4072c396431

memory/440-1079-0x00000000005B0000-0x0000000000A7D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

MD5 36e5ee071a6f2f03c5d3889de80b0f0d
SHA1 cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA256 6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA512 99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

memory/440-1117-0x00000000005B0000-0x0000000000A7D000-memory.dmp

memory/440-1394-0x00000000005B0000-0x0000000000A7D000-memory.dmp

memory/4512-1817-0x00000000005B0000-0x0000000000A7D000-memory.dmp

memory/440-1938-0x00000000005B0000-0x0000000000A7D000-memory.dmp

memory/440-2624-0x00000000005B0000-0x0000000000A7D000-memory.dmp

memory/440-2823-0x00000000005B0000-0x0000000000A7D000-memory.dmp

memory/440-2836-0x00000000005B0000-0x0000000000A7D000-memory.dmp