Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/08/2024, 08:27
Static task
static1
Behavioral task
behavioral1
Sample
29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe
Resource
win10v2004-20240802-en
General
-
Target
29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe
-
Size
1.8MB
-
MD5
c0f13624a29524295f06ad286784723c
-
SHA1
1069e278b7f540327870549e0e5b79009974fb03
-
SHA256
29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9
-
SHA512
9a236f478acbc258f471f2b457e13964b4807bdaac01d05e120b52539e9ba180a00a5c993ac4d5277fcb9bc1e190f6acdbe1cb4d71617b993be73011199a9b0a
-
SSDEEP
49152:5iwta4qiefdzmuySNR1TOFBFn8x96HTL+PnksrudIKo5TtCQ:wwt0aaci2Hv+Pnku95/
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
leva
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 08335b1e04.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 08335b1e04.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 08335b1e04.exe -
Executes dropped EXE 6 IoCs
pid Process 3452 svoutse.exe 3540 08335b1e04.exe 4020 ec98eea4cf.exe 5504 svoutse.exe 4220 svoutse.exe 5964 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine 08335b1e04.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine 29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine svoutse.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000700000002aaae-48.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2412 29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe 3452 svoutse.exe 3540 08335b1e04.exe 5504 svoutse.exe 4220 svoutse.exe 5964 svoutse.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job 29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08335b1e04.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec98eea4cf.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2412 29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe 2412 29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe 3452 svoutse.exe 3452 svoutse.exe 3540 08335b1e04.exe 3540 08335b1e04.exe 4020 ec98eea4cf.exe 4020 ec98eea4cf.exe 2844 msedge.exe 2844 msedge.exe 3688 msedge.exe 3688 msedge.exe 5504 svoutse.exe 5504 svoutse.exe 5568 msedge.exe 5568 msedge.exe 5752 identity_helper.exe 5752 identity_helper.exe 4220 svoutse.exe 4220 svoutse.exe 6180 msedge.exe 6180 msedge.exe 6180 msedge.exe 6180 msedge.exe 5964 svoutse.exe 5964 svoutse.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1580 firefox.exe Token: SeDebugPrivilege 1580 firefox.exe Token: SeDebugPrivilege 1580 firefox.exe Token: SeDebugPrivilege 1580 firefox.exe Token: SeDebugPrivilege 1580 firefox.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
pid Process 4020 ec98eea4cf.exe 4020 ec98eea4cf.exe 4020 ec98eea4cf.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 4020 ec98eea4cf.exe 4020 ec98eea4cf.exe 4020 ec98eea4cf.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1580 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 3452 2412 29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe 82 PID 2412 wrote to memory of 3452 2412 29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe 82 PID 2412 wrote to memory of 3452 2412 29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe 82 PID 3452 wrote to memory of 3540 3452 svoutse.exe 83 PID 3452 wrote to memory of 3540 3452 svoutse.exe 83 PID 3452 wrote to memory of 3540 3452 svoutse.exe 83 PID 3452 wrote to memory of 4020 3452 svoutse.exe 84 PID 3452 wrote to memory of 4020 3452 svoutse.exe 84 PID 3452 wrote to memory of 4020 3452 svoutse.exe 84 PID 4020 wrote to memory of 3688 4020 ec98eea4cf.exe 85 PID 4020 wrote to memory of 3688 4020 ec98eea4cf.exe 85 PID 4020 wrote to memory of 2676 4020 ec98eea4cf.exe 88 PID 4020 wrote to memory of 2676 4020 ec98eea4cf.exe 88 PID 3688 wrote to memory of 1164 3688 msedge.exe 89 PID 3688 wrote to memory of 1164 3688 msedge.exe 89 PID 2676 wrote to memory of 1580 2676 firefox.exe 90 PID 2676 wrote to memory of 1580 2676 firefox.exe 90 PID 2676 wrote to memory of 1580 2676 firefox.exe 90 PID 2676 wrote to memory of 1580 2676 firefox.exe 90 PID 2676 wrote to memory of 1580 2676 firefox.exe 90 PID 2676 wrote to memory of 1580 2676 firefox.exe 90 PID 2676 wrote to memory of 1580 2676 firefox.exe 90 PID 2676 wrote to memory of 1580 2676 firefox.exe 90 PID 2676 wrote to memory of 1580 2676 firefox.exe 90 PID 2676 wrote to memory of 1580 2676 firefox.exe 90 PID 2676 wrote to memory of 1580 2676 firefox.exe 90 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 PID 1580 wrote to memory of 2804 1580 firefox.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe"C:\Users\Admin\AppData\Local\Temp\29b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\1000013001\08335b1e04.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\08335b1e04.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3540
-
-
C:\Users\Admin\AppData\Local\Temp\1000015001\ec98eea4cf.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\ec98eea4cf.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff3e913cb8,0x7fff3e913cc8,0x7fff3e913cd85⤵PID:1164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1700,13276224590695459871,12522319463651816982,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1808 /prefetch:25⤵PID:2544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1700,13276224590695459871,12522319463651816982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1700,13276224590695459871,12522319463651816982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:85⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1700,13276224590695459871,12522319463651816982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:15⤵PID:1816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1700,13276224590695459871,12522319463651816982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:15⤵PID:3328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1700,13276224590695459871,12522319463651816982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:15⤵PID:5880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1700,13276224590695459871,12522319463651816982,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:15⤵PID:5892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1700,13276224590695459871,12522319463651816982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:15⤵PID:5376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1700,13276224590695459871,12522319463651816982,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:15⤵PID:5660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1700,13276224590695459871,12522319463651816982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1700,13276224590695459871,12522319463651816982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1700,13276224590695459871,12522319463651816982,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4576 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:6180
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {769a1b5b-336d-4509-a62c-423b158d7805} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" gpu6⤵PID:2804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d8ff94a-3eff-40bd-95af-ebe23bbe18f7} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" socket6⤵PID:1040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3468 -childID 1 -isForBrowser -prefsHandle 3460 -prefMapHandle 3456 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c76dae4e-1231-4a9a-b606-93443033b2f2} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab6⤵PID:1128
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3880 -childID 2 -isForBrowser -prefsHandle 3872 -prefMapHandle 3868 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbf5b6ef-77a3-4017-ad40-6821f8e39411} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab6⤵PID:1836
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4616 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4608 -prefMapHandle 4572 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e07b72cc-8765-45f2-b21c-872b96eb3448} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" utility6⤵
- Checks processor information in registry
PID:4664
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 3 -isForBrowser -prefsHandle 5524 -prefMapHandle 5520 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cabefd47-e1cf-4027-931e-b7e384d15ae1} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab6⤵PID:5596
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 5660 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f12ca51c-cdfe-4033-95a7-fe202c105376} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab6⤵PID:5624
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5924 -childID 5 -isForBrowser -prefsHandle 5844 -prefMapHandle 5848 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72352872-ca46-4193-83a8-7a4caa4c4c03} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab6⤵PID:5636
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 6 -isForBrowser -prefsHandle 6212 -prefMapHandle 6208 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05738e51-df17-4295-95d9-3f6d4daa0830} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab6⤵PID:5188
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3520
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5504
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4220
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5058032c530b52781582253cb245aa731
SHA17ca26280e1bfefe40e53e64345a0d795b5303fab
SHA2561c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e
SHA51277fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f
-
Filesize
152B
MD5a8276eab0f8f0c0bb325b5b8c329f64f
SHA18ce681e4056936ca8ccd6f487e7cd7cccbae538b
SHA256847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da
SHA51242f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD5c510932e87077b262e4417758b9c4501
SHA16f51cc76f10ced7f53fc1791ce7da5f7d179bd17
SHA2562e998f3a32482bec7a0d4f4d2bcc7dfb2dd62d9c81cdc9cc6ad8f00ad774f0b4
SHA512683a3de3721c4fae0b5fd233668a0038f4fbb8fe6e34bc8cac2fbecbbf3d9499696d4f8f29d5d6eec9b90c4f50cbaae775c800cb5ddcc0fd78eb802990d8e71d
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD5d4d53e5ba5b24ba28bdf0099f5ee9455
SHA17cd0ae1c4de12cc4654df30a2f80a1f1cc0f4634
SHA256661543266170d64392fef11e8f64adaf21f6564201f291ff5ebb0d6a2832a5b1
SHA512769fc1104199e778945a20a66acb229f32424a46d8e0f71cf7048f088c60d069e0fa09e7e0b8ae3e4300de0e8fe5b888d6c56a903eebaa2f44726d9ce685fd14
-
Filesize
1KB
MD5e32bc8cfcfd59d66455d6857ab65d8ef
SHA1e6c40e0dbaf43a9eaba6da837b4f7b0564fcb8ea
SHA256a83f4720eb4e68a1d4172e11e8cf6438edbbfbdf4b59c60c4e8291db0c55a805
SHA512a0259ea9df912c1d1c11232bb0d8b0a20167b24dbe4efa1a6a1479e46a69b4b696c524fd7b15ac81f78651005a9b2b076e7fcadd73b440af4354c7c5f3782cba
-
Filesize
5KB
MD5147f14155c25837f682228b87a697e47
SHA1bb295a2a52de927d81d6de22f4aaa2ea2d9e55bc
SHA256dbab02d64b8fe700881feceadc1691dced5c770adfe4c6d3fa6f25d58ab6d2de
SHA512ae8f4a6df36b03c49cf7a2a20ee3faa76043e22fee87ea8a64ae1a2586e37ad2f8ac690b5239783f8d195f9ee0dec252ba567a6b8e3e6778369e1f0af2369d8d
-
Filesize
6KB
MD5ef4629255dc7069e5a8bb7d183ad13c1
SHA1d81deadd414c914821c4fd0c2c33815e825868e9
SHA2563d2bb041b901c928357b6e9b313106e93aab5d93debb26d487acc313df3cac97
SHA512466c1e1975af8e1c14f48063bc4bf4eb04e84de3c15099d3f59670ab6f933eaab1a10ce45030736dfc85ec88b14b14fc9b441fadfff8d3069d9e55d695222839
-
Filesize
203B
MD5a22005adfe29f67f0c33a41b0df52006
SHA1c86352274243412e04be7471d922909d2afffcbe
SHA25680b17a20f2e29e7c2ace21a74911296983386b8ffff8c4feb0092c8dfafbbe89
SHA5128de297d9aae958a925a4e2db63e69c14b1c143a6abfbc5c96d8fc8690c91486623463b6f36dc55848e9a8e5b88960d371b4aa726f69bd633b2af33b08baa65c3
-
Filesize
203B
MD50d9769feca3e93ae4665bcdf14bb686f
SHA14822084eaf02652892c8d52265a4b00b5045c22f
SHA256ebbd61aca316f614a83939d78a2de31e5269e5ca6521dd194f293d08a30c2fd9
SHA51281ce9bf7625e0c4e6233004d63e4bf8bdd191f5fa2dcb687d3f6107ef0c6ceaa4a2caa0fba2d2af4eba3a973561d0fe93328eab89d7627940273780a393b78fc
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5414429cd0d026ad9adf1c3a180e8fbf8
SHA14e2e9a25cc9dbb28df406bcf4a078b7961939bd0
SHA256a750dd5a968cef835511e64cbef3a23897caf5f635f8d26aa63bc9b592c85c32
SHA512cb659d6f58f1e0e7d858e01d668aadd3e629dc4751d13cc776dca645a71057358156a00ba20c7715b337db86d834ac4e090e8cd25d965272ef0fe1c901369d9a
-
Filesize
10KB
MD517d40245887c4da2ebc8477f825c9a4c
SHA14c797634b12edab31d61b525e93b262ff4af9516
SHA25637d0817483c4d578400368d8387125ecab6a5c68598a94e11b82e557c8e3b434
SHA512e7ec55881460d53ca5a63202abf6b7bd289a6d93e8d3d7665c67778bcae5125f37f8a827c875771947550670e87470f6b577046fb871f0c8edcfd87d0b59c537
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json
Filesize45KB
MD5e698da10ac10473bf69fe6aa6bfcbc63
SHA1c41660e543de46a6f7d10ca3e514cd520dbbc8f5
SHA2562fc559912e129d3440d0fed0bc2ef826fc235d49a9d7734033e9a8536ee94537
SHA512d953e2cdb74dc046ddb2a871c39c75d01a63254cb6432496ced898ca5b3a739b13c5f0d18ecb8b2c5af3e3fb9bcb9b203cecec5c5370aaeca60bf4d859a741d7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F
Filesize13KB
MD5fab36e68fe5f6295f4d3836da7c4fcbe
SHA18ca85db9f07080f93af9c5f42ec90d430cf39b6e
SHA256e2a93c02a1977aa1a31ffaacd79e5d01672ca7c4e3842ff10b73c06117df1b8d
SHA512c2badfcd10549d4a54f7d34385e669a5f3462743e623762ad986ef2857ff9645a41527969cc5da9dc1af8de585148ebaf1413b39b22552217374405626970782
-
Filesize
1.8MB
MD5c0f13624a29524295f06ad286784723c
SHA11069e278b7f540327870549e0e5b79009974fb03
SHA25629b67f2691728147e710b02bd1303eab031e9737a39f0b7772682cae15ccf3f9
SHA5129a236f478acbc258f471f2b457e13964b4807bdaac01d05e120b52539e9ba180a00a5c993ac4d5277fcb9bc1e190f6acdbe1cb4d71617b993be73011199a9b0a
-
Filesize
1.7MB
MD54af8d94c6f990f2a93744b016e8eb1a6
SHA1da316c0dc1edcd2589a7e9ca290c93d8ca24830c
SHA256c44c6b9007dabc96cc7bcdd0c38aeca19a9073f79257a2fd134ad66002d98b18
SHA5127a804ceb4e25504b8ac1868563ca68e26808c5ada441eede13d1c6cef3a71a996cf9e2e6478000a6959bc00ede6126f78c7861a15cd63155569cf15c2c33ae0b
-
Filesize
896KB
MD53ea8c67b2684dc0a993c63dbb2cebe72
SHA1e834f19d139da1b509d87ed07461fe6304225388
SHA2567905eb203033b959a12c2e294a1815847a4d2481733035b48df9ca90a54b3501
SHA5129358ce01334f556c83504f665ea7aad61211829830140b8c2b1f27f377b52e92d67eab094b73705e52c134b58b49622ed1d49dd91a2377a47de7d4662a9e8c4f
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin
Filesize7KB
MD541244f84f275f1b64ae91ba855fdb925
SHA1d27658fae2af1f3f7358778e0fc1d920f687dfcc
SHA2567b516d3b7a2bc40abdf13035bb11a69f9021974632fb28e1b0bac06438baf295
SHA512fca93289330d382cc20fab77152963029f27dbca0ce30578f6c636368969344db25100020e4f9da7c3844618aaad46f10279213c6856db0e08fc5b071fb2e098
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin
Filesize10KB
MD564966458bd7975b31f892d5937a2ef49
SHA1e544d8616cf4653f3fc137d73a5d910449157484
SHA2563af3ee65cd1306d417d53915eb17ec590bba797b8f6ba6fa1af299a87674704f
SHA5123a87f4e6b3aee67e29bbff464aa70fbfb477e025ed37dd129f05b24195a01b0d885f813a66d5542cfa078074f35b3d4ab0f5a220656264f40d730b5318903a7c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD56925707d7e0b521f4884d52aea498f18
SHA1b66d2c4cffa00e8608a81f89d929b073c782416e
SHA256c1abb8274056fc1f04c2d289d9874193fa95e930b6ee3393712fed35a86a1056
SHA5126ae51b338244b6ef95a540d72610efccebe9cef892f2bd450376b2231e71be746e7c91cff0bbbc7ec4e97b9d5730d345ddbee3069e6a850b457ff72f39d04db9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5d7c0f6bb16591e8cb3f502bfb8d7c1a8
SHA17d65d20569ab3cc548c55f5e7fe0dedf3f0d240a
SHA256e8d32bf1fa0fd7aef46f2d3677444031b33b1ba01f3d772e9f77f7c4e017d8d0
SHA5121a9f89a72e36d48fdaa5f81b16fd884aea26001b7a0a5794fdea85ae004d5f3303d084f3dea57b92d8ba53bab8292a59c2500f2d8faa2d0890168ca91733e4af
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5f2c177c896a773c7f164ea8bdc6c9a8a
SHA16d9478af180bf639635e78ad52dfd81ea1c64207
SHA2569af3f145a1cf37269133a419fa84420abbaea19789678f2565bc5bb89d169f37
SHA512524ceabad61035dbe2cf9f6471e3c3b6b613d4b46f0529028718200f3c2067717b90f6fa242516b167b1e4dc026b3e2e9f88ef76c85a2f25f970832dcaec1c03
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\1e51c403-7103-4dc7-86db-029e3346697d
Filesize671B
MD58e4a0298d66da5a6eccc59b1cc8fb1c9
SHA10198c2de9c4b5110cfe8f7f9aa6634ba047a1b53
SHA2569e749ecca7ff014f9fcc49c2b44200698c62144b6837081cbc1a237327855a83
SHA5128ea536bd3523c6912bac0bf09c6af41e55c63ab6803628356f9ec4e10319f0cf492ac0e7682f31c6b3620e693745fd843811a1234d868feaf31416bd3207392b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\5dd9f71c-dddd-4563-b438-f8ef0c2eeabe
Filesize24KB
MD5a575d9bdb33b7b1430c554e9ea93c03e
SHA1ca6abf802b9cefa5846e66bb897698adb110dfa1
SHA256f9c5c09044848e8310c4ca2556e3f56455250bf1f11c6a048ca4ffdeb1f495b7
SHA512543fae516c17c297b10b717c6958f960be7a6839e805952f239d05f6899ebf6095d49592ce9ed35247b85fb4c7a3c74e9f052dd49c20027874d839682fd75269
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\a46e2491-a3dd-4d2a-8fb3-248a2bc60644
Filesize982B
MD5d7e6572d6add9fc7089fe7fbbf808f4a
SHA196b28aa10d2218a8cbde7cdf75007ce61182757c
SHA256774ad0464e33565f06347bb3634e70e8bbaed8f901ea7674ffdf46cd32a4c3ce
SHA51268555edd7e956918d7e11a0ea7bfdd861857854e7383893b2a947253ef3697db4aab45ac4ac0e02c732bdae5708c9d172221d58e9c8e02d570415d6289ad31bd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD558ab6a546115fd64afab932063307b45
SHA1560edc0217f60ddb1e4cee3297fa1c51782416cf
SHA2565f7bddf3f499350df3938838bca7b772f9ce5a8bce6a18d0363c5a13cdf5c247
SHA5121a0b74862f08c972eda7a96829365b8e84202925e63884b9387fbe62e105fb459b5ca8f052c040091bee63d8e6f271a5fb2612cd0841e4b6d7e9ded2cbfbb4e7
-
Filesize
16KB
MD510c7dce1a2810a39f60016b7b9ba2855
SHA10521b90c88c94fd04d9ad25940521dfa123ebe9c
SHA2561298d15ad9d5a85388abdddf02f4967c266d35ee43121675b797c36c20bc5f65
SHA51278b9b6ce9b124dd9b898d7ff1cf90d3efcf57ada5410dd1b5941dd1142008588019937fe49b9efdf7a339ad7db74f197aea7e45ba5ec95ea7d59aa65f4f16695
-
Filesize
10KB
MD538860ab730cd854a28ad791e07ca6bae
SHA10de03af4af365f337a36f5948975b35dd1629b73
SHA2567b7ce2d0ec8dd1c9dc921d2c596a6ae499e717395be4dccf4e642c4e14a00f75
SHA5120ab88ce8601507a8382cffbba9b623ae64ebbb61671fcf0f7869be2fc6b35a0875b57fe784ede56830b23760fcd79f905df1e18d955c8a413e0b4bd3356511bb
-
Filesize
11KB
MD53c43183f5e765abbb2726758c9eae0ee
SHA1eba4af1a84135d20549d99d105ee906ed10e2c88
SHA2562844a68e7296280eb9dea08ce8890ecc1641179d7e179ba644da1c807f55d5af
SHA512f690e1324ed88aa460125f4d104c5352d3de50b6e33980899294db92cca9cbbf09040dbb65b1c16228db5f4d6b23b2bc9117f80747ae453d6cd2f3278ba2edc6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD55f9b731b61c13ce3eb0f1139f5ddb04a
SHA17b5f9ed273da9cd51586bd02e6979999a81ebdda
SHA256df69154b7f2deca9c5ef9c093931ae6dc1af29602780afc8ab8e1c063ca9c8a5
SHA512986b5ef005d104997accec1a8378760d9a60e2683300d55daa92a50700076b0301f5209cc987fde2f61567f66c7117312ad6f15a60176e10bf8cb60a5ed992d9