Malware Analysis Report

2024-10-23 21:50

Sample ID 240911-jf2q6azfjd
Target 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
SHA256 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
Tags
amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a

Threat Level: Known bad

The file 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a was found to be: Known bad.

Malicious Activity Summary

amadey stealc c7817d rave credential_access discovery evasion execution persistence stealer trojan spyware

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Unsecured Credentials: Credentials In Files

Reads data files stored by FTP clients

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Command and Scripting Interpreter: PowerShell

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of SendNotifyMessage

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 07:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 07:37

Reported

2024-09-11 07:40

Platform

win7-20240903-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\0533f04538.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\0533f04538.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\0533f04538.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\0533f04538.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\0533f04538.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\0533f04538.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\0533f04538.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1724 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1724 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1724 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 2752 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe
PID 2752 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe
PID 2752 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe
PID 2752 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe
PID 2752 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\0533f04538.exe
PID 2752 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\0533f04538.exe
PID 2752 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\0533f04538.exe
PID 2752 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\0533f04538.exe
PID 2752 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 1404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 1404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 1404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 1404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 2360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 2360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 2360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 2360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 2360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 2360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 2360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 2360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 2360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 2360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 2360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1404 wrote to memory of 2360 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 1876 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 1876 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 1876 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1032 wrote to memory of 1876 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1876 wrote to memory of 2564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1876 wrote to memory of 2564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1876 wrote to memory of 2564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1876 wrote to memory of 2564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1876 wrote to memory of 2564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1876 wrote to memory of 2564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1876 wrote to memory of 2564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1876 wrote to memory of 2564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1876 wrote to memory of 2564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1876 wrote to memory of 2564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1876 wrote to memory of 2564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1876 wrote to memory of 2564 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 2112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 2112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 2112 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2360 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe

"C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\0533f04538.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\0533f04538.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.0.833057893\2123601484" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc50412b-eea7-4851-b374-f4ceeb3fdce7} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 1292 119f8658 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.1.1411731309\1999267734" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1eb4d8da-e97d-4d40-b482-d325dac77416} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 1508 d6f858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.2.1194689769\1622501604" -childID 1 -isForBrowser -prefsHandle 2100 -prefMapHandle 2096 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {767ad094-8e61-4a23-969c-d19bf055ad78} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 2112 1a8cbe58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.3.1262022709\1766812275" -childID 2 -isForBrowser -prefsHandle 2908 -prefMapHandle 2900 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18cd27a5-b20c-41c1-8b63-335b793427c6} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 2920 1d34e458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.4.1094851201\633886597" -childID 3 -isForBrowser -prefsHandle 3856 -prefMapHandle 3852 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2ecbe72-1768-4dda-8d54-b5b099f2e35c} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 3868 1ef88858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.5.414274761\595020537" -childID 4 -isForBrowser -prefsHandle 3976 -prefMapHandle 3980 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15808894-e6d5-43d2-a061-7f533c06083d} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 3964 1e0d9d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.6.1285082113\1402058357" -childID 5 -isForBrowser -prefsHandle 4156 -prefMapHandle 4160 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39541fac-4c31-4813-bf74-c0126d1906c6} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 4144 1f4c0b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.7.295660010\118227672" -childID 6 -isForBrowser -prefsHandle 4188 -prefMapHandle 4192 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3c9b0dd-0878-4827-a640-d268a1760eb8} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 4056 221f3c58 tab

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
GB 172.217.16.238:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
GB 172.217.16.238:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.179.238:443 consent.youtube.com udp
N/A 127.0.0.1:49267 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
N/A 127.0.0.1:49275 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/1724-0-0x0000000000D90000-0x0000000001242000-memory.dmp

memory/1724-1-0x0000000077B90000-0x0000000077B92000-memory.dmp

memory/1724-2-0x0000000000D91000-0x0000000000DBF000-memory.dmp

memory/1724-3-0x0000000000D90000-0x0000000001242000-memory.dmp

memory/1724-4-0x0000000000D90000-0x0000000001242000-memory.dmp

memory/1724-5-0x0000000000D90000-0x0000000001242000-memory.dmp

\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 3bcdaf8aa8a6f0ca2f613c8c14bc5a6e
SHA1 14e7cff2628e339009821bdb95673a40299149d0
SHA256 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
SHA512 d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579

memory/1724-17-0x0000000000D90000-0x0000000001242000-memory.dmp

memory/2752-18-0x0000000001070000-0x0000000001522000-memory.dmp

memory/1724-14-0x0000000007090000-0x0000000007542000-memory.dmp

memory/2752-19-0x0000000001071000-0x000000000109F000-memory.dmp

memory/2752-20-0x0000000001070000-0x0000000001522000-memory.dmp

memory/2752-22-0x0000000001070000-0x0000000001522000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe

MD5 2436f5bc4146385648a72a27897ab578
SHA1 daf603434b49d4bf2866a3f53069845f05130fcb
SHA256 aee2dcc810b97f1bd7809146f7f33887e806561329c0b6288ecb1d315e4f6740
SHA512 e32cede58485391ee8621b939f28e7234095391ad67f944929b8475528f8a08f801d3997138c0935f40d17ec3e703d0d499e7427bcc570102636e1ea8cff2a92

memory/672-41-0x0000000000830000-0x0000000000EB0000-memory.dmp

memory/2752-40-0x0000000006780000-0x0000000006E00000-memory.dmp

memory/2752-42-0x0000000001070000-0x0000000001522000-memory.dmp

memory/2752-39-0x0000000006780000-0x0000000006E00000-memory.dmp

memory/2752-60-0x0000000006780000-0x0000000006E00000-memory.dmp

memory/2752-59-0x0000000006780000-0x0000000006E00000-memory.dmp

memory/2752-62-0x0000000001070000-0x0000000001522000-memory.dmp

memory/1956-61-0x0000000000AE0000-0x0000000001160000-memory.dmp

memory/672-64-0x0000000000830000-0x0000000000EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/1956-75-0x0000000000AE0000-0x0000000001160000-memory.dmp

memory/2752-77-0x0000000001070000-0x0000000001522000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin

MD5 1158fa23e2cb79c12771a096860feedf
SHA1 5fa9824b772a83abc0fa88eee5e8f8b100241aa8
SHA256 94dea146e3d5ca7687593f14d53781b0982d71e5e9add593d466b20ee5f62489
SHA512 3463b09e52fbc0c0fdf934fa4cf1fe2bb7f625492621ba8d612057364e001f050acb8af5f1161eaf0431a7e2a71594245443812fa15ecdd2e3300bc985f7b394

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\fe2a9383-5d36-4a3a-a726-467bb3cd4241

MD5 4d39006fa2a5cc855218eadfb93a0264
SHA1 1eb9d80f34d9641d5cff420812e01bfddcf8bcbd
SHA256 ce969f76d81f69bd8eb453da1a004b7a2102fcdeb1789e1c7f275581670c1187
SHA512 432fb60602b43231cde9b9aa37de9da4d749bf09777c31ecd1d7b5833392df3b2cce42dcedeea5474aa232134562ccbdef700179addaab2ba0a0b45cfedf0e4a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\ede93fdb-8d67-4516-acc1-7bfd366da425

MD5 50a5a2e694cfdef32db878af3cf23367
SHA1 e08f0514393b93df11fa4506463c200e2a0ca5de
SHA256 12b76883b221187bae10f0783ac2ad1ac89af70256c24a81c6ada69e7c6c9451
SHA512 303852499329a32d00792ae517f140cd509a4e14744bf2db7d9b0f6f80b47fd5e8c832686df6b1e0247e5a481168d6f1f5801323656163b28f6402e706f6c2dd

memory/2752-159-0x0000000001070000-0x0000000001522000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp

MD5 163217a407c9128f918b6f7a648689c8
SHA1 da5a70eab8e4a4e418829ee962d4196bfb8a371c
SHA256 db94fe7344ba48ee5294a83a7f0ab4e4df421160c768d447fccff74b9c94badb
SHA512 2e9171ef918d4b4d01c599cc7a1b4b37c7779939cbe801f22934228ba1933b55cbabc68e28d6983952c6898e990f89589cbd494dce7c73d691e0612c3bdd0754

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

MD5 e643c38a8e05fc09201ff39b750df2a2
SHA1 b791af1fc770f75c5ce4b0d3004f11e1fcf6f0ea
SHA256 57a09953ac35489d75e96aaf365146c85f6fd12a69bde9f15eae6da2c18b2af9
SHA512 28cc0b1425d1e7e7ef58914f5f983063c85bcfac4f361519a5aa04f4cd4596973c13c59b13b0e815c3efd45d72f81402a56e3612d844a24ea3c8f5006a433e5c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

MD5 901af3ad1a9fc7fa6a4da4f36a7d5a3c
SHA1 6056411c46408be8023a5b0d39a05b748d457e90
SHA256 79bda57b1d4447f1b4e2d0add80266175128cce57f1c99794e8417356690d244
SHA512 0fb38ea16aec846c0c9a120482f0b43e7ee0628485854fa5f6d71ab912ac4740f516ad8fb97be5667e9c0e86368eb19c71b5d6405e4882cbb22febf3a88c9565

memory/2752-260-0x0000000006780000-0x0000000006E00000-memory.dmp

memory/2752-274-0x0000000001070000-0x0000000001522000-memory.dmp

memory/2752-276-0x0000000001070000-0x0000000001522000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

MD5 829a39c8fec89a9f44b0c94d63ab0e09
SHA1 532fb843d278aedd43af11f4ea1cfc5ec67f17bb
SHA256 be9984ea84b60e5fe6be5fe167fe8f7c24ee81827590a38f2a9efff8d233bc58
SHA512 45a856bb22df15c66f21ae57dfb3cdb0c1fcfb2cc2c4a1fc56384452b90295354e84c910e8fda4a0a81373ead37a486386a8535070e2bade0f33954ef3dcfb59

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

MD5 d64e540b17aded9e7c6b6fc16889bfe8
SHA1 672b548b88b324849db5aa2fda9fd1f0ed92404e
SHA256 7a0e73535037d58d74dded3a7366bf679ea3c0052c6a23520b4ce915d305cc1e
SHA512 9bb45d940c5bddc2d546a903e8deb23d3731eab9edf339f3d23d4863cd75762d3becf8764d14a9c39b753f621f4b6d3ca5b01875aa88bc7add7574f5b7c4196e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a361a149ad096005b52a465725de1549
SHA1 5187332b6de3f668dec70c90e5483dd91a987f18
SHA256 9012608d9a4943c99c2c18496b453b5157554f9fd9a120f12a393707b89ebb1c
SHA512 7bd6a3ac43755f294b2ecf3058e72a81d74af43facec1a9b69cfc0957947df84ce7cae79e199f3737a423d236ba52b9210115572194e077ffabe4df8460d1cd4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

MD5 390206db54bcf2a78c51343839c5bef6
SHA1 1480d214a9fc4a1c0e878b8c911e9de46d8945bf
SHA256 70dc47a95281f8ecb30bac5b840b59562e4b7aaf8b840491934d5fd1483d8ebc
SHA512 c1151b08e40c49e54dd357a4c9ed55e9ea3680953b19b743f7d5e4f0087bcb54b5e45702086f7bd408a543488f65f0ae6bccadc3c4305e2ef18cc5024e72f652

memory/2752-329-0x0000000001070000-0x0000000001522000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

memory/2752-368-0x0000000001070000-0x0000000001522000-memory.dmp

memory/2752-369-0x0000000001070000-0x0000000001522000-memory.dmp

memory/2752-377-0x0000000001070000-0x0000000001522000-memory.dmp

memory/2752-382-0x0000000001070000-0x0000000001522000-memory.dmp

memory/2752-383-0x0000000001070000-0x0000000001522000-memory.dmp

memory/2752-384-0x0000000001070000-0x0000000001522000-memory.dmp

memory/2752-385-0x0000000001070000-0x0000000001522000-memory.dmp

memory/2752-386-0x0000000001070000-0x0000000001522000-memory.dmp

memory/2752-393-0x0000000001070000-0x0000000001522000-memory.dmp

memory/2752-394-0x0000000001070000-0x0000000001522000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 07:37

Reported

2024-09-11 07:40

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000030001\4cec8b6b26.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\4cec8b6b26.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000030001\4cec8b6b26.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000030001\4cec8b6b26.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4cec8b6b26.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\4cec8b6b26.exe" C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000030001\4cec8b6b26.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\4cec8b6b26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000030001\4cec8b6b26.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3844 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3844 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 3844 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
PID 1960 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe
PID 1960 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe
PID 1960 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe
PID 1960 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4cec8b6b26.exe
PID 1960 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4cec8b6b26.exe
PID 1960 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Users\Admin\AppData\Local\Temp\1000030001\4cec8b6b26.exe
PID 1960 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1960 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1960 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 2416 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 2416 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 2416 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 5656 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3300 wrote to memory of 5656 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 404 wrote to memory of 5776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 404 wrote to memory of 5776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 404 wrote to memory of 5776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 404 wrote to memory of 5776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 404 wrote to memory of 5776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 404 wrote to memory of 5776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 404 wrote to memory of 5776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 404 wrote to memory of 5776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 404 wrote to memory of 5776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 404 wrote to memory of 5776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 404 wrote to memory of 5776 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5656 wrote to memory of 1192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5656 wrote to memory of 1192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5656 wrote to memory of 1192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5656 wrote to memory of 1192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5656 wrote to memory of 1192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5656 wrote to memory of 1192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5656 wrote to memory of 1192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5656 wrote to memory of 1192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5656 wrote to memory of 1192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5656 wrote to memory of 1192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5656 wrote to memory of 1192 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1192 wrote to memory of 736 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe

"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe

"C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe"

C:\Users\Admin\AppData\Local\Temp\1000030001\4cec8b6b26.exe

"C:\Users\Admin\AppData\Local\Temp\1000030001\4cec8b6b26.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52e52e65-6f6f-4836-b766-aa15660d54f5} 1192 "\\.\pipe\gecko-crash-server-pipe.1192" gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0190e450-e619-42cb-a5d7-9506722ec64e} 1192 "\\.\pipe\gecko-crash-server-pipe.1192" socket

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x40,0x128,0x7ffa905a46f8,0x7ffa905a4708,0x7ffa905a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa905a46f8,0x7ffa905a4708,0x7ffa905a4718

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 1 -isForBrowser -prefsHandle 1664 -prefMapHandle 3144 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ecb50a7-f5f6-496c-9dcb-79bf13a9ddcd} 1192 "\\.\pipe\gecko-crash-server-pipe.1192" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3612 -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3600 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5471842-d06a-41a0-9e2a-12f72ae71e4f} 1192 "\\.\pipe\gecko-crash-server-pipe.1192" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3792 -childID 3 -isForBrowser -prefsHandle 4036 -prefMapHandle 3640 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6f3a13d-2cb3-4b29-b8ad-682cd8084a41} 1192 "\\.\pipe\gecko-crash-server-pipe.1192" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5016 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4992 -prefMapHandle 4988 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c613709-eab5-40d6-92d4-affd6693e910} 1192 "\\.\pipe\gecko-crash-server-pipe.1192" utility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,10588037494747871828,8763897200364740127,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,10588037494747871828,8763897200364740127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5884 -childID 4 -isForBrowser -prefsHandle 5888 -prefMapHandle 5892 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2409b3bb-53de-42e4-9401-cb820b23d438} 1192 "\\.\pipe\gecko-crash-server-pipe.1192" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6084 -childID 5 -isForBrowser -prefsHandle 6004 -prefMapHandle 6008 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {408825d9-2456-4901-9fe9-8a0157019f8e} 1192 "\\.\pipe\gecko-crash-server-pipe.1192" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6276 -childID 6 -isForBrowser -prefsHandle 6196 -prefMapHandle 6200 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dba4305-c1d2-4c07-b0f3-10b89148ddda} 1192 "\\.\pipe\gecko-crash-server-pipe.1192" tab

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,4248813476029174108,8589610856107380486,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5656 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 103.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
GB 216.58.201.110:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 158.124.235.44.in-addr.arpa udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.187.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 142.250.187.238:443 www3.l.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
N/A 224.0.0.251:5353 udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
GB 142.250.179.238:443 www.youtube.com udp
RU 185.215.113.103:80 185.215.113.103 tcp
N/A 127.0.0.1:60148 tcp
N/A 127.0.0.1:60167 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.238:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
GB 216.58.212.206:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
GB 142.250.179.238:443 www.youtube.com udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/3844-0-0x0000000000B70000-0x0000000001022000-memory.dmp

memory/3844-1-0x0000000077784000-0x0000000077786000-memory.dmp

memory/3844-2-0x0000000000B71000-0x0000000000B9F000-memory.dmp

memory/3844-3-0x0000000000B70000-0x0000000001022000-memory.dmp

memory/3844-4-0x0000000000B70000-0x0000000001022000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 3bcdaf8aa8a6f0ca2f613c8c14bc5a6e
SHA1 14e7cff2628e339009821bdb95673a40299149d0
SHA256 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
SHA512 d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579

memory/3844-17-0x0000000000B70000-0x0000000001022000-memory.dmp

memory/1960-18-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/1960-19-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/1960-20-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/1960-21-0x0000000000770000-0x0000000000C22000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\2fcf65c00c.exe

MD5 2436f5bc4146385648a72a27897ab578
SHA1 daf603434b49d4bf2866a3f53069845f05130fcb
SHA256 aee2dcc810b97f1bd7809146f7f33887e806561329c0b6288ecb1d315e4f6740
SHA512 e32cede58485391ee8621b939f28e7234095391ad67f944929b8475528f8a08f801d3997138c0935f40d17ec3e703d0d499e7427bcc570102636e1ea8cff2a92

memory/2656-37-0x0000000000AB0000-0x0000000001130000-memory.dmp

memory/2656-47-0x0000000000AB0000-0x0000000001130000-memory.dmp

memory/2656-46-0x0000000000AB1000-0x0000000000AC5000-memory.dmp

memory/1960-55-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/3456-56-0x0000000000770000-0x0000000000DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

MD5 e05e8f072b373beafe27cc11d85f947c
SHA1 1d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256 717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512 b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

memory/3300-64-0x0000000002720000-0x0000000002756000-memory.dmp

memory/3300-65-0x0000000005130000-0x0000000005758000-memory.dmp

memory/3300-66-0x0000000005790000-0x00000000057B2000-memory.dmp

memory/3300-68-0x00000000059A0000-0x0000000005A06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aoeyxnpv.dhc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1960-79-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/3300-78-0x0000000005B50000-0x0000000005EA4000-memory.dmp

memory/3300-67-0x0000000005930000-0x0000000005996000-memory.dmp

memory/3300-80-0x0000000006020000-0x000000000603E000-memory.dmp

memory/3300-81-0x0000000006070000-0x00000000060BC000-memory.dmp

memory/2656-83-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1960-99-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/3300-100-0x0000000007020000-0x00000000070B6000-memory.dmp

memory/3300-102-0x00000000065E0000-0x0000000006602000-memory.dmp

memory/3300-101-0x0000000006580000-0x000000000659A000-memory.dmp

memory/3300-103-0x00000000076E0000-0x0000000007C84000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 983cbc1f706a155d63496ebc4d66515e
SHA1 223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256 cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512 d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

memory/1960-128-0x0000000000770000-0x0000000000C22000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 ad8029b67d6da6ca8dd2045c1615d7e2
SHA1 5a511beb7c0f050c7a100338d600edf485bd9e1d
SHA256 e57bde9bba2b5d82f9497db3cc3e6916dd0781e7fe3bab74f067909c2b8233bc
SHA512 65df9b05d9f08f025afe97e222a2be8535cf53de9c80316bd6f03db813ac012102f1de5254e5e1059c7a863505343879d5897e9c8d300974e1d1104479ce1d42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\6ff11abd-7c56-4e8a-af6d-372c37a95450

MD5 218aaec6631a2f8c9ce27788d08d1c96
SHA1 56283f64163628a401296b07cf21a68114c0f85c
SHA256 98734b8741b27b857e19f88f4f1c118b852e6bc6c256beb9dfe37bc5d8d4b218
SHA512 ec42846e8be951968274d9102a96cc7dbc145967534af9d4098e27d8f03f5d0a524428c1504ca7be7cc6910babcf3ff78cd2b5805645325edfd91452fee04a40

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\f892b125-7b0f-418e-bb41-ba83984ca06c

MD5 57407f1df89f44cd80c37fe272c4f4d9
SHA1 ba50c353be2e6aba1f5aface23c27d642606c64b
SHA256 e9bf8f1c6b89c2f398e4c50821f5c86342136ba15b0c6c7d6ed0d209d204189c
SHA512 6abb3eea8789e605c393ffa4027314c1d65515e7f0ed83fecd993402e9e5e80a21230264021cb5e6980f73f1f7f41fe8484c88722d4fedefed591eb3d65eddb1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\c00abb7c-0484-410a-b82f-7482809b2858

MD5 b52923917bfddcdff470545a9cc871b1
SHA1 4bb5b5679681b57c5574216bf937a86ff1d34ccf
SHA256 9343fc59cd0631f3aa49364831c1762246eb8333c7a81049e3eb0a2067d823f5
SHA512 31c025e157a3f703ec6ade6b5a750b7d5fe5447777dbd494be9e7c42501ed74bd565ffce170fa572e78b6af59d456de0d027f3a67b753842df353083f360d104

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 404a8ff8ea1215f7a7d4f2e9bd8d07a3
SHA1 6079a76677f0bc020de519c820c6960890d302b7
SHA256 aa7e503874bdd25c6be45e8c85701b2adc21b241fd7582ac2fad2fa6e5108d61
SHA512 b91ad4ad8c4b5de8e4d9eb2ae87944b5df91c68174781a7e7bbec1356538deb5c6ef831b4b97d6cb23bff898df11f4cfdaed332985a2a1c1c79ccb96323c1e2a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 b065c63ee4c99bff417bbed09d50a9d7
SHA1 77999c17762934b3b54150020b5a5b56ea386fe9
SHA256 ff36128147d49f93e428c4cd75c9cbd5c586376514f7420f0ce9dabb1e982e23
SHA512 7df68515c40166defe65c785b08f87ae2aa7e5d1023657ff3b33b88be8f57de859b44585711b148e4327260c3ab626a95f981459918e2fb7240f03a3671be56c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 111c361619c017b5d09a13a56938bd54
SHA1 e02b363a8ceb95751623f25025a9299a2c931e07
SHA256 d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512 fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 60654a4c97f9d741261c4f2e5321ae31
SHA1 ce1c079e9ecbc849e7633f1e1cf27e39868fe444
SHA256 5a90c88f2a3d80b647ae89a22a6fa4fb8df56b2f5e14ffaaf9f72a559de4f7d9
SHA512 a2101b7ca4d05173098e5556b2525c046b54340103204c51d06d08d68ba855c435bba297786728f63de9ef91492318a0275baf6c28f0ac74c842a5e01d232b5b

\??\pipe\LOCAL\crashpad_6120_VICRHSVVIZZNTQOE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 77a7a671bf4c1a44f3679fb905e3ceca
SHA1 c7ab2881c56d36d9120abf24953c9efd7d6fed2e
SHA256 7264ab8a035fd4c2c13e3faea96bbdbd01d28040d77f0823bef620d722b8068f
SHA512 af650a61ed70f2c53316e0a61f9829f7ad3e8300620c44f344569a98ede2d70936e41e901ae3cec6676eb689b13d4e3eeee994d8d8c7d3b0c2c0e8bf225515d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

MD5 140ce4f29f9edd314d8c8197bc202729
SHA1 de85a4f68df59791f15d9504aba4ec0f312e9676
SHA256 6da85a023d725fcdab36a50dea7fe90130ac3991ddd1ca90c728b2da97116211
SHA512 58066c6001d90e5b740f0d7d8aa4f5882175098b1963513e18839d0ac5859314801a973245db5d36e5d3a51c44ae7662d68bab4308655aaa2efb093323edfe0e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 75fbe077d8d1f066940948d8f41ff882
SHA1 e6155dec5badcc1b4961b50bfc2106f4d424f4e7
SHA256 9d1bcba291ac5377e4f7a0e0a9cd4779b3fd9ddce35b0a5b7f41d73fed191d60
SHA512 c5737fa5698bda95907ce4a2134da2d36e92311cfab53410a2de36f32816803090f007d6aed7eeca06182484153c1da863662c66368543c766ac45c3985523ef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 0a8a528189564ea5bf57f886960c2c9f
SHA1 a973847dd09f5314c8364f85b3bb877e810088b8
SHA256 9ce68fb8e86b55d7d05dc83a3824ae95c43e70890928fe32ec4c538ea2acf723
SHA512 9c28b4c86fb8199af13437bc788ed66e18228ca3f0fcfcf469abbffc176375c0cf0b9f59e8fdf0df828a4597782c2ec414b73d7d4d06adfcb0d400e0219ce129

memory/1960-531-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/2656-532-0x0000000000AB0000-0x0000000001130000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cookies.sqlite-wal

MD5 59f104aae03b73f59bcb4b4ca680849e
SHA1 0c00350261df94978b068e5676fd4122bf6026f1
SHA256 016dcaa90745b00b8b5607191e427f9b3474a3e0dca25451aba9485dfe280eab
SHA512 f889e87302dc81212090a11ac465cdc3a32b749f9011b4ac0640c4fd600614a5df0f32e0ae0d6b25ab2ca6a0b323fb449568deeedf6e29f596488e8897c54208

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2656-628-0x0000000000AB0000-0x0000000001130000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 6eb1deba7860336086483cbbfc828323
SHA1 c5b544240ec9b31c93a9962601f6dc6741a4b54c
SHA256 6f9afb01f93569d5ef04042c9d1a445c2434101530d423a9457fa9a38d836394
SHA512 76e03c108c5012d8790b47af1e29f7bbd5188327940d5fbe5cb7092fd9bc2b5f28e00643c94a52e0dc68c2e3644f9b45e5c1d3c6db3950cece54f30b890135ad

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\places.sqlite-wal

MD5 3b76dc7a293a8dfc38f27f152bc54296
SHA1 8b1f34caa4d1a0e479ba7745914738499952fdbd
SHA256 c1a6e76d8b513f99f617d2701fb73480be790f9d53b62d08a51c7f55864ea58c
SHA512 108c92326de03a4255babe54ca6ce8a5c1431a7f73c667272bf17060d35b743854a1ab2f57cafd682162c13c706f1416394e9be50c4446a2adc9c652a7ad6931

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\places.sqlite

MD5 069b45cfe64ab8624b3eb9e5ab2235a1
SHA1 5af7770e592203e4d0d0fabb49b589d922abfe9e
SHA256 619654cc7a56aa81cf3d5d2a8f5bbd386eee978114434bfd6d95eba3ebf1c5e9
SHA512 68b51893374cb0258b25a1d107e7e83796ffd7079ff37d705261084d99574b786d2dd8575d8ef1e3d7a7f759c5721a4f60dca95ddd7b7977761d1ee8fc6ab390

memory/2656-649-0x0000000000AB0000-0x0000000001130000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 04797f3191e4159f0240ea2b5a2e2b9f
SHA1 1be1fdb0dc5965a550923c795e6af50694bb06d5
SHA256 2ad8e1f50f5d275a8378f2559bb7269e85ffcc6edf25c2f6db447cd84b6db76c
SHA512 feb5371085d0bac1375c46bb19bcacb509082353630363c9bcd35307a0e6f5437fc1c62dc855d0bc413d11ef9c2a35b7e0a0a82920d31f6c08c5cde1b3f2cb57

memory/3456-670-0x0000000000770000-0x0000000000DF0000-memory.dmp

memory/3456-669-0x0000000000770000-0x0000000000DF0000-memory.dmp

memory/2656-673-0x0000000000AB0000-0x0000000001130000-memory.dmp

memory/3456-678-0x0000000000770000-0x0000000000DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8339aa168dc83e0fb85e58870199054a
SHA1 af448632d4181f8e9c120d107eb9df3462839277
SHA256 e08d4ac0199d3c7aac13dc9dc9d05e59da58eb100c6dccc05e4755bfdc877047
SHA512 627af4077c712484cce6f22a14a3c737bbd7f0f4aa6c19409750f90d7797cdbfcfa16a2e6ae2e1efd05765c380de9438a0ecb167f38c4e980386f6d3b7339a51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 023e418dfb12696c7482211e4f6337f8
SHA1 32637a223747d0608f3554eb3c985cb022ed37bf
SHA256 05b7bc6440505999dcc573b19a01483e1477cad9ae23c8777c7325db7e1f8989
SHA512 33b2ee7b77bbb019129e0e2a83c5136fde02368f97398a329db1986110766f63dda75df06e051b4b44030aaf8fe462457c3ed022d28a3d5a3d741fa4efe0140c

memory/1960-709-0x0000000000770000-0x0000000000C22000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

MD5 2e7736e0f2049ffd5a8f7017afb94b26
SHA1 9557cb56258755ec6f74660900ea3799cca72d0e
SHA256 b2f77b4823e9f2cfcf1e0e9acd37a8c05179ee72f5d41f6ac48a2448b4e3c603
SHA512 dcf2fe7eca3ec917ca9eac3d73c2ac20f98fe6e88deec39a3805a0cba74b9ded8f131198ae527b0cceb088a412689895317bcbff3171e4a098aabb18d52f272d

memory/6468-719-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/6468-720-0x0000000000770000-0x0000000000C22000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

MD5 1ab8556708f08a0bc3613013e6ef4fff
SHA1 cad0d5f243ae6124ba03ad7d99a21b3eb2788d4c
SHA256 a142e0949986a2688fe7733e3dc422bf8de3a9dbe0eafa6a59bfa54bfc5e943b
SHA512 9827c57b24313fc4ca2240370bd910f7aefd09ddd51969093eda6de21f2d3fc2bdf606139838cfa3c689abc7e1ba482e2fc4b00972a18c9a3a828c6fd29c2569

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 7e0548d03cfbe5a1c3b1fdfe3f78b926
SHA1 ceaf26a24b58dde071624ce9f4f824e0794dd9e2
SHA256 1b50e3c42e7a33f5b9a34b00bd4c8787736bfe217e73b8f303496f0696c9c67c
SHA512 3f8d6b069259afb01ede4afa5a852e4cb0c2676e5d48c253ca8ad5d3c2adde452294187d9f140f0f2e68d7e02129f649e372deb1757344633c3b92fd3ee7b603

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 eb6bd27808c03f087cccfba1657cceb3
SHA1 05633decd69854947ca20aa6c6f0546b34ba105b
SHA256 840daac35bcc9e75d62c4e9462b54fcd099bec2b443a896a9421d421202a41fc
SHA512 5f30ef85fea15a4e7e35bab048a679511dc66a000cc352559f4f5f531ef5ab0c75cf991a2add6ea15b4f5e52483de4c11ef966a397dd99c504a755d7932fb937

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

MD5 3e5e63d7a481d7538e67b2354120d67c
SHA1 1320dd31eb806d2477f0d36215d1b29522aa8f1c
SHA256 c6b17d78e8a5943b0847959e2fc0f3956694a1278c2fa68736056e7bc8590553
SHA512 bc522590791129ef571ae1d04556cbede7f99e1f2fbafcd092e8608039084bd8bef18723e719fea7c573ad24334515c2322309aa0e54aec7f009e9a0024226de

memory/1960-812-0x0000000000770000-0x0000000000C22000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 cf0d591fe7b736410e0f724d403e5793
SHA1 4ddcdc231fcde4c13ab914aca39316c9fb7f886b
SHA256 fcb1b7e388d44d998cc70442d7c617227bd376a9933078a0f41640c85c7b625b
SHA512 452c87468a029fff745ae234f4287c710b48c4a96d8895e0d8f50f7bc78d47366d6352e6cde934451b2f0483684ea06bdbdea8706a661cfe8cb1dd079ce93be8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9e60b19a96fedcb2ae124ed9603e94f0
SHA1 f5153ce525a2573a78b5022a83e4f0794a8e9bab
SHA256 c3203328053356d274a67b18452238c6bbc50b760abe2d41fc08dcf8ae2d89ce
SHA512 6c9aa60778ad9ef611eebc09cf6ad53ccf1bb700b83ebd9079446d3579b006119ee9b07fc0ad0d901c931e3f0d5c080307355c2f46373646e3fc7a233d255474

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

MD5 ddc003dde88176898e3fed3ce66695c2
SHA1 d48c81a3d0edf4186819ef5db21c97b0c09c6260
SHA256 113a160020db68ee25708c9658a63d0b3e1cf85aa092a48059067ef97bf155d3
SHA512 3de69101374f59adb1d347707bc7a7fc7ca27f2c59fefac3b4fb8e16ddec2b7534bb574f3c677b74c14a0c9d4129e5ed2a834f325bc771c08315fd2556c596ba

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

MD5 11205adcfc5580a2855811592fbf3e32
SHA1 ea3f6d1445b04812add95867a34fd3e03204fcaa
SHA256 dce7fcb0c6abc927f37db11022a27804e537d6246770f65ce9d8877de825d740
SHA512 8727a4e4ef4dd05b5de9000326e52b31feecb7c1878faa9d616736cf49a30f8e4f1bae3a27854313ad367e32e232a0d45a83be9b589dc44184288b072acaba95

memory/1960-1250-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/1960-2310-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/1960-2879-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/1960-2893-0x0000000000770000-0x0000000000C22000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

MD5 b645fbd8d311543a2d0914e94285adff
SHA1 7d3605d9041549defdebd680f7fefc0325e4a6e4
SHA256 bcabc965217e1215e10066f48a2fd1ac5b7efead978f295a9536292b46f2866f
SHA512 89a5ae63072501db4cd27bb74c35cef8db9fe3c5e5f8d87b70b0d066ae10813abbd674231c24e82864d23a8887ae487f055b744b171fce8f9153636d4ff559c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 98f8028e207eec08b4afb4dd4b541370
SHA1 9c2a3f383e9719d72f37b28eac9be14130fbfd83
SHA256 958ff60ec17cbd370f9303fe9bcb6e4fc55da591c3e299eeb592151ff2ce5de2
SHA512 0c370656c506ec7b5fb415aaafd0ab1e2b6a902fc3e7ce7359b625b41264a18a5c01a11bd14ea760d5258961a9b8782ea7c4f18a97b76f89e0d8d55f563d5c46

memory/1960-2918-0x0000000000770000-0x0000000000C22000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7940674e431eee55d12a007b679e9844
SHA1 99c33288c24d13441514b19457c47a13d1c377a6
SHA256 6a2dbb024f0b73dd1fd99f5aed7f84cbb6f538a0a7865aeb0e99bfae4cbbc119
SHA512 0a83a48a58f1132cba3a543579bb6714c36c679db2619f16272638dd91fbbf1cc8bae78f77b93daec2060f03647f60b5f2b597f30ea5204b7c829c2fa53e2110

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe595356.TMP

MD5 85339aab5e9c4536c1fb89f6b74a3ac0
SHA1 7c906cff33fc40ab40330bba180d94c64484bfad
SHA256 52ecbcbe394f5f7a0ec02ec4da339ddc3edc16982695fdbf0af7c88de6e9528d
SHA512 e2e9e20577b8b88e65d9354710885ef8939688fb662cec2195b09eddbbd23bcc95e397b3564d8ed603b1b917d543d4dd663bd0f02f17814011719e9eb433462f

memory/6448-2929-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/1960-2930-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/1960-2931-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/1960-2932-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/1960-2933-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/1960-2942-0x0000000000770000-0x0000000000C22000-memory.dmp

memory/1960-2946-0x0000000000770000-0x0000000000C22000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 5ca6cdac079535145a3e42f63ddd7899
SHA1 a7a1b666e2dbc96d7543fecb48d43a095dd0dc1e
SHA256 031e9f02e32afdd5da770255ab113b859a32ea53fea3dc8b17f0bdd789da5858
SHA512 f953872e9a8073396b4eb3bf9ab7d41276ba7c87f9124779db205dcf580ab88914ccbe6020587359efbaefc271496a7c71224c1d244d6c95b426345dc51b2710

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f26542ec95f5ed270ba912479403b47f
SHA1 85bc27be98a0026f1a827e0ddd25496155e701a5
SHA256 20bb4a22aa18d2306282e65dc488902f91be8c827b5ad51b834468bb13415091
SHA512 61fe5f8732d9e7689f5cbefcb68667a9ef8de68bd042bd18b54e801c3bc22e93e7aa6979e0cc46438ffb65688b4a2e3f445c856c99a0e04a34511a2943c60249

memory/5456-2967-0x0000000000770000-0x0000000000C22000-memory.dmp