Analysis Overview
SHA256
fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844
Threat Level: Known bad
The file fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844 was found to be: Known bad.
Malicious Activity Summary
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Credentials from Password Stores: Credentials from Web Browsers
Downloads MZ/PE file
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Identifies Wine through registry keys
Checks BIOS information in registry
Unsecured Credentials: Credentials In Files
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in Windows directory
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of SendNotifyMessage
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 12:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 12:16
Reported
2024-08-17 12:18
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
140s
Command Line
Signatures
Stealc
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4244 set thread context of 1848 | N/A | C:\Users\Admin\AppData\Local\Temp\fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe
"C:\Users\Admin\AppData\Local\Temp\fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| US | 8.8.8.8:53 | 100.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4244-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp
memory/4244-1-0x0000000000030000-0x0000000000068000-memory.dmp
memory/1848-4-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1848-8-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1848-10-0x0000000000400000-0x0000000000643000-memory.dmp
memory/4244-9-0x0000000074C50000-0x0000000075400000-memory.dmp
memory/1848-11-0x0000000000400000-0x0000000000643000-memory.dmp
memory/4244-12-0x0000000074C50000-0x0000000075400000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 12:16
Reported
2024-08-17 12:18
Platform
win11-20240802-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Amadey
Stealc
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000001001\c6890516f9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\8bd2c04262.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000003002\8efb2a0d6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine | C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\c6890516f9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\c6890516f9.exe" | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2680 set thread context of 3992 | N/A | C:\Users\Admin\AppData\Local\Temp\fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 736 set thread context of 3076 | N/A | C:\Users\Admin\AppData\Local\Temp\1000001001\c6890516f9.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3888 set thread context of 4688 | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\8bd2c04262.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\svoutse.job | C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000001001\c6890516f9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\8bd2c04262.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\1000003002\8efb2a0d6e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe
"C:\Users\Admin\AppData\Local\Temp\fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe"
C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe
"C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe"
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
C:\Users\Admin\AppData\Local\Temp\1000001001\c6890516f9.exe
"C:\Users\Admin\AppData\Local\Temp\1000001001\c6890516f9.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\8bd2c04262.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\8bd2c04262.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\1000003002\8efb2a0d6e.exe
"C:\Users\Admin\1000003002\8efb2a0d6e.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d415ea4-6565-4fc8-afa2-154422a0b73c} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddfc0c33-f038-41c6-8c50-abb8ac752077} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3316 -childID 1 -isForBrowser -prefsHandle 3308 -prefMapHandle 3304 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {881c3883-9fba-407e-b0d0-4721805e0dd6} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 2 -isForBrowser -prefsHandle 3140 -prefMapHandle 3136 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9703ba4f-72e3-4019-8062-5ccfe118c5a9} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4748 -prefMapHandle 4708 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6d9202a-5522-4e81-b751-8a6fe04b4279} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 3 -isForBrowser -prefsHandle 4880 -prefMapHandle 5528 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eac4a1f3-eb1a-40ab-a307-0cf09ec67dcd} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 4 -isForBrowser -prefsHandle 5704 -prefMapHandle 5708 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c972490-2368-416d-a0b0-5a3327a45158} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5996 -childID 5 -isForBrowser -prefsHandle 5916 -prefMapHandle 5920 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75fcd2b4-8f68-462a-a6c8-60c8b8acb2cb} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6216 -childID 6 -isForBrowser -prefsHandle 6308 -prefMapHandle 6304 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b32a036-cd2d-4cfe-9ea2-f75f4da7f995} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" tab
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| US | 8.8.8.8:53 | 100.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| RU | 185.215.113.13:80 | 185.215.113.13 | tcp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| N/A | 127.0.0.1:49946 | tcp | |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| NL | 108.177.127.84:443 | accounts.google.com | tcp |
| NL | 108.177.127.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| NL | 108.177.127.84:443 | accounts.google.com | udp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| FR | 216.58.214.174:443 | redirector.gvt1.com | tcp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| FR | 216.58.214.174:443 | redirector.gvt1.com | udp |
| FR | 172.217.20.196:443 | www.google.com | tcp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| FR | 142.250.201.174:443 | play.google.com | tcp |
| FR | 142.250.201.174:443 | play.google.com | tcp |
| FR | 142.250.201.174:443 | play.google.com | tcp |
| FR | 142.250.201.174:443 | play.google.com | tcp |
| FR | 172.217.20.196:443 | www.google.com | udp |
| N/A | 127.0.0.1:49953 | tcp | |
| FR | 142.250.201.174:443 | play.google.com | udp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| GB | 88.221.134.155:80 | a19.dscg10.akamai.net | tcp |
| GB | 88.221.134.155:80 | a19.dscg10.akamai.net | tcp |
| FR | 216.58.214.174:443 | redirector.gvt1.com | tcp |
| FR | 216.58.214.174:443 | redirector.gvt1.com | udp |
| DE | 173.194.187.41:443 | r4.sn-4g5e6nsd.gvt1.com | tcp |
| DE | 173.194.187.41:443 | r4.sn-4g5e6nsd.gvt1.com | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| FR | 142.250.201.174:443 | play.google.com | udp |
| FR | 142.250.201.174:443 | play.google.com | tcp |
| NL | 108.177.127.84:443 | accounts.google.com | udp |
| NL | 108.177.127.84:443 | accounts.google.com | tcp |
Files
memory/2680-0-0x00000000749FE000-0x00000000749FF000-memory.dmp
memory/2680-1-0x0000000000480000-0x00000000004B8000-memory.dmp
memory/3992-6-0x0000000000400000-0x0000000000643000-memory.dmp
memory/3992-7-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2680-9-0x00000000749F0000-0x00000000751A1000-memory.dmp
memory/2680-11-0x00000000749F0000-0x00000000751A1000-memory.dmp
memory/3992-10-0x0000000000400000-0x0000000000643000-memory.dmp
memory/3992-12-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3992-45-0x0000000000400000-0x0000000000643000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\RoamingHJJJDAEGID.exe
| MD5 | f92bc75eb1dd5151fcda78609b39c232 |
| SHA1 | 4f1fb77fdd542f67d30cb26acca5747c6e01890e |
| SHA256 | 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379 |
| SHA512 | bca933fb39dc32726ca15f3ae6a3237b9b72f38b5535288d5062bd3b1b9cae8372f3ff1173785d4f7e6914af2a23689d2b41e0a8e2d291cf3c9da16ce6920bf6 |
memory/4772-91-0x00000000006F0000-0x0000000000B96000-memory.dmp
memory/4772-92-0x0000000077656000-0x0000000077658000-memory.dmp
memory/4772-93-0x00000000006F1000-0x000000000071F000-memory.dmp
memory/4772-94-0x00000000006F0000-0x0000000000B96000-memory.dmp
memory/4772-96-0x00000000006F0000-0x0000000000B96000-memory.dmp
memory/3992-97-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2964-110-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/4772-109-0x00000000006F0000-0x0000000000B96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000001001\c6890516f9.exe
| MD5 | 308d0996727a81dfcb72a69e1a132108 |
| SHA1 | 9b48220c70d23d2022dd33b142ba6ff8f878c7e6 |
| SHA256 | 76a0ee2a9aca627171bad5a4be2029e87eefed2cbb7c63532c3d4f5ca53e2e88 |
| SHA512 | 65503827ac96c6a81c6ab6a6428286b6b43fd78ded0ec255e21ca3d6f2f4ce8f2fb4f3167afcfd7c6e9b997dd448c937bea01b676f645f33dfe4fd9b88ad2c25 |
memory/736-129-0x0000000000860000-0x0000000000990000-memory.dmp
memory/3076-137-0x0000000000400000-0x000000000052D000-memory.dmp
memory/3076-135-0x0000000000400000-0x000000000052D000-memory.dmp
memory/3076-132-0x0000000000400000-0x000000000052D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\8bd2c04262.exe
| MD5 | aa217dbf9cb8080176f0bae19edc6305 |
| SHA1 | 1753b00e1dddb7d9635ad0e9d285907445cc70b6 |
| SHA256 | fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844 |
| SHA512 | 0beae14810a852de0449675577854fe68947ffe30de89488e71b5ed8c63ac21d88d20b23d3614441aae7de40ad6bea12dbe4278af870defef85457478a6b56ab |
C:\Users\Admin\1000003002\8efb2a0d6e.exe
| MD5 | 278ee1426274818874556aa18fd02e3a |
| SHA1 | 185a2761330024dec52134df2c8388c461451acb |
| SHA256 | 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb |
| SHA512 | 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0 |
memory/1620-177-0x0000000000480000-0x00000000006C3000-memory.dmp
memory/1620-178-0x0000000000480000-0x00000000006C3000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js
| MD5 | 70ae9c387ce55d93f8ac71681aeef294 |
| SHA1 | 3d56aa13bdfb324e6c01b9b5cb132096e4d67789 |
| SHA256 | 754225a6cd92dcc3a92a022d64305553a0e2564e37dd4cf884d171eed339cc0d |
| SHA512 | 8e76b9ecb2279cd86132cadf77e7f05c8cd6b1404db72d9b15a757c806c0ee8497d665d7736cbe8336b30fa6af3688250e240b45337ab80b7a7f85e4b60aa4c9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\91b7cd40-dad0-4480-abd2-a22dcdd9fb63
| MD5 | 3c6042283d9721ac0cc9f00e80f86d7c |
| SHA1 | 6b2750b68d48f7f605cf7163394d3baa39d98f52 |
| SHA256 | 67ab4f0d9e59e6de640c43d7379f038c5299c5efe412e66946a3783226870c70 |
| SHA512 | 2d394c6da1eaed625ff7e7e1d181a048d46114dbb05db1c1360550bba6f53e26ca474de0bb4301fb0775bc194db6dcbaffade7311d22e729066c48a2996980c2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\94349e4f-0200-47fe-b3b2-3a8be812f43d
| MD5 | 9602084efd7487f23acd9c2607187560 |
| SHA1 | 3d3fb13d91fc97cf3aae44ce20819dd09640342f |
| SHA256 | 6ee8a0887211e1159357b6376c672e7ff06300572b1e4c72a48c242a5cc2139e |
| SHA512 | 1b35e546e486aa62daf04a0939ee80d0ebd5d16169b82afe69cb268fd941830f12740c3a93ff819d61f89fff8f6d5ada5bc82b18b3a98ca12e6838016f9e50aa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\03a1553d-02cf-4886-b13d-33a8ba4a8f45
| MD5 | 8c4c3705a86532e3531934510291b4fa |
| SHA1 | fe20396c6c25e0e939ab78d62db2daf893eaf43c |
| SHA256 | 7eea207c3708461f5277a25af1c86c3999d42685f62315f7d07c62ece4c1f4af |
| SHA512 | 04eaffe9cf937260cc7764895f8b1904b0d7c6ba7104a96955afbf98f37116bbc11ac3c14591d8c70707179a09642ed4014cd99f1e204395e5a489f38d7a4491 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 7d44c04151146e70909871ebcfa2e3be |
| SHA1 | 3ae7b2170dbdb0709fc1933e4092a9b2da52cac4 |
| SHA256 | f041c6e7b9612603e33b996015776a673ff159d6a2577732786458e3a25a2bd3 |
| SHA512 | 4b2fee941bb4d7813df2ae9e1f296742150782b122cf2d389e4ec592a6f79f7bb8b1d8144b2e8e7ecc0e10ed6891968a787f7a6f4ab83708ff83aabd104cdb85 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
| MD5 | 3f3c564e2df8f877334fa58a359a9196 |
| SHA1 | 9df5ad5b9ebf44eca71e989ce57c55b59a18cea0 |
| SHA256 | 17ec147674c18cfe00cf2ac92d44820c3f952691d805f410944332b57fe4f5f3 |
| SHA512 | 64a616898b746a52e53cd884b81c269e81ecb82283ad1e0a0fc32a17fd936f50e4981f6065607efcae6b6ae85c9158b842b6e03789bcd0c22e14d6832d127b3f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\activity-stream.discovery_stream.json
| MD5 | d0f177cf7ff50866f2adabcaf04baf13 |
| SHA1 | a302477743915ea494804f02fd9dfb2ed900426e |
| SHA256 | 198fe738c090197659138f2161d7449397939b7cc9c2d533265906a1ce84300f |
| SHA512 | 2e1505f86837991bd30f9921e93327db883e5c26de22968ace4b23064567f7f2c4494d8a094586fd2adedd511d984a18194425e521a1552d7b4d862d24abd217 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin
| MD5 | cb9a705e610d956164d07ff991c6c72a |
| SHA1 | f47c8071fa948ad0d579e9a6e134ec642e391bbf |
| SHA256 | ad83dfa86df8dfe33c7d4298e7bfe21866901b80e1a50fc5c82bf05608893997 |
| SHA512 | d8416099635095ff7982c4a09a70932a4d8ce55d8c35315e453d8eb6a82ccd4478961a143091ba346ab8a96e4f4d89e4100632263a64206218fa6a5bed965c26 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs-1.js
| MD5 | 7b72d78563594ff746f8a022579994b1 |
| SHA1 | d7e7ccf5b8b8e36d27ce23de5fdeb43a7f8f951f |
| SHA256 | 62d5474d00f9a9cbd854999805aaa46fff3c1e5f384aa7435de08a05217f0629 |
| SHA512 | 2519e0290753317abf71a04ff8ce7564de21608e2c28c62aabec7c45c22f8c22ddb267a74f12084837b0eaf5324baf38d7ea23fb08402138c6b5ea679aa0def9 |
memory/2964-505-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/2964-506-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/2964-555-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/5252-561-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/5252-562-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/2964-563-0x0000000000410000-0x00000000008B6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 362c40dd9d7c0d2887410cccb91a4a9b |
| SHA1 | ddcf8485644566048a1c2a3736dd9e860608a75b |
| SHA256 | 48077af2f4a38c3a9132be2fe374d2d14f8cc611d39b189724db8bc5e5263876 |
| SHA512 | 53adf103052a48d3fd07da54f501720a4e3f9a196f4be1985f8f7477ace5b7bb1e6fbf5f442a73045b69f0ed7558cb6219e8c8a4dab108186c9a28b2003f0a47 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs-1.js
| MD5 | 19b112073814baf07088d13c24a0088e |
| SHA1 | e4a62e062922bbba12044b97bf3004970f60b574 |
| SHA256 | 6aa38ac5538575d26cac4c36702ad4a00e34e58d17d4251538cfc4267389e806 |
| SHA512 | 23c3707af656f2fda62efb3f3ab34c7f83d46e8c6526801c02d9f0b3481a33895092c0ca7b101a493d201cc2d6012e72f242e33408f30962840567c8ce6106f4 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
| MD5 | 20997c9ecaa974b20bc17b6f8919a990 |
| SHA1 | bd4aa1c71ee09ba38cb780079b1c9eb00c9d9397 |
| SHA256 | 381965e2a191b500e5ea7a5bbe018e9110144daa6424351ffa1933c4d97d41e1 |
| SHA512 | 5384dbdf7ac547f074244e33277d0efa4976c2959058f76fe183b9c8888ec429fceb396a143ed5d620618f108c4423dde20759ac3cab6ad09e4e27d881695711 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 2fa181571c8d8192e042a3977920ea2c |
| SHA1 | 5ed3eaa24c0e514154ac0dfecb776ddbe60732fa |
| SHA256 | e61fdd7e4c00164e8e2157ce895e5b434f29b05175906ffe28a94ee7fc4a2f71 |
| SHA512 | 937168a099ac0c795abbdd08a0e29f2bdd1b4da3b204edb5ef6026da4b8fcf55e0057d2ba27e7bbfc263310ab07a6f4576fe17feb3e055f9d63800ffdb09e4ed |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
memory/2964-1302-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/2964-2521-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/2964-2668-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/2964-2675-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/2964-2678-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/4712-2680-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/2964-2681-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/2964-2682-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/2964-2683-0x0000000000410000-0x00000000008B6000-memory.dmp
memory/2964-2684-0x0000000000410000-0x00000000008B6000-memory.dmp