Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 23:42
Static task
static1
Behavioral task
behavioral1
Sample
9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe
Resource
win10v2004-20240802-en
General
-
Target
9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe
-
Size
1.8MB
-
MD5
fb715bbfab832a6a7b4e05fc94a74b88
-
SHA1
b2f10e8bcd6e86d52d2e40d45fa79801e45cc4bc
-
SHA256
9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377
-
SHA512
448ff097de5c6bb92ed9fa4e09f303408729f14b7156bcf4fcb2d6fa8b5859aa04cbbaeb8791e9cbad6ab437cb5e86e582b715a07a13142215341a8ce8c3f9d5
-
SSDEEP
49152:iFLxjtwooQXHsWuWelM0BqO1EeGqGC+AZ6k93xbr:iVxje+HsWuWSEeGqB+AZxx
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exesvoutse.exe9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exesvoutse.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 6 IoCs
Processes:
svoutse.exec155236b5f.exed176c2925e.exesvoutse.exesvoutse.exesvoutse.exepid process 1320 svoutse.exe 2484 c155236b5f.exe 4840 d176c2925e.exe 6052 svoutse.exe 1584 svoutse.exe 1828 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exesvoutse.exesvoutse.exesvoutse.exe9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d176c2925e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\d176c2925e.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exesvoutse.exesvoutse.exesvoutse.exesvoutse.exepid process 2196 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe 1320 svoutse.exe 6052 svoutse.exe 1584 svoutse.exe 1828 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2568 2484 WerFault.exe c155236b5f.exe 6772 4840 WerFault.exe d176c2925e.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d176c2925e.exepowershell.exe9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exesvoutse.exec155236b5f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d176c2925e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c155236b5f.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133703989844425730" chrome.exe -
Modifies registry class 2 IoCs
Processes:
firefox.exechrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{560C1480-CB33-480A-8D5F-E19E3D7E1D95} chrome.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exesvoutse.exepowershell.exemsedge.exemsedge.exemsedge.exechrome.exesvoutse.exesvoutse.exechrome.exemsedge.exesvoutse.exepid process 2196 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe 2196 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe 1320 svoutse.exe 1320 svoutse.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 3124 msedge.exe 3124 msedge.exe 1056 msedge.exe 1056 msedge.exe 736 msedge.exe 736 msedge.exe 3440 chrome.exe 3440 chrome.exe 6052 svoutse.exe 6052 svoutse.exe 1584 svoutse.exe 1584 svoutse.exe 6196 chrome.exe 6196 chrome.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6196 chrome.exe 6196 chrome.exe 1828 svoutse.exe 1828 svoutse.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exechrome.exepid process 736 msedge.exe 736 msedge.exe 736 msedge.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 736 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exechrome.exefirefox.exedescription pid process Token: SeDebugPrivilege 1296 powershell.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeDebugPrivilege 3496 firefox.exe Token: SeDebugPrivilege 3496 firefox.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe Token: SeCreatePagefilePrivilege 3440 chrome.exe Token: SeShutdownPrivilege 3440 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exemsedge.exefirefox.exechrome.exepid process 2196 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exefirefox.exechrome.exepid process 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 736 msedge.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe 3440 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3496 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exesvoutse.exepowershell.exechrome.exechrome.exemsedge.exemsedge.exefirefox.exefirefox.exefirefox.exedescription pid process target process PID 2196 wrote to memory of 1320 2196 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe svoutse.exe PID 2196 wrote to memory of 1320 2196 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe svoutse.exe PID 2196 wrote to memory of 1320 2196 9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe svoutse.exe PID 1320 wrote to memory of 2484 1320 svoutse.exe c155236b5f.exe PID 1320 wrote to memory of 2484 1320 svoutse.exe c155236b5f.exe PID 1320 wrote to memory of 2484 1320 svoutse.exe c155236b5f.exe PID 1320 wrote to memory of 4840 1320 svoutse.exe d176c2925e.exe PID 1320 wrote to memory of 4840 1320 svoutse.exe d176c2925e.exe PID 1320 wrote to memory of 4840 1320 svoutse.exe d176c2925e.exe PID 1320 wrote to memory of 1296 1320 svoutse.exe powershell.exe PID 1320 wrote to memory of 1296 1320 svoutse.exe powershell.exe PID 1320 wrote to memory of 1296 1320 svoutse.exe powershell.exe PID 1296 wrote to memory of 3440 1296 powershell.exe chrome.exe PID 1296 wrote to memory of 3440 1296 powershell.exe chrome.exe PID 1296 wrote to memory of 1928 1296 powershell.exe chrome.exe PID 1296 wrote to memory of 1928 1296 powershell.exe chrome.exe PID 3440 wrote to memory of 856 3440 chrome.exe chrome.exe PID 3440 wrote to memory of 856 3440 chrome.exe chrome.exe PID 1296 wrote to memory of 736 1296 powershell.exe msedge.exe PID 1296 wrote to memory of 736 1296 powershell.exe msedge.exe PID 1928 wrote to memory of 660 1928 chrome.exe chrome.exe PID 1928 wrote to memory of 660 1928 chrome.exe chrome.exe PID 1296 wrote to memory of 5100 1296 powershell.exe msedge.exe PID 1296 wrote to memory of 5100 1296 powershell.exe msedge.exe PID 736 wrote to memory of 4976 736 msedge.exe msedge.exe PID 736 wrote to memory of 4976 736 msedge.exe msedge.exe PID 5100 wrote to memory of 1836 5100 msedge.exe msedge.exe PID 5100 wrote to memory of 1836 5100 msedge.exe msedge.exe PID 1296 wrote to memory of 4592 1296 powershell.exe firefox.exe PID 1296 wrote to memory of 4592 1296 powershell.exe firefox.exe PID 1296 wrote to memory of 3124 1296 powershell.exe msedge.exe PID 1296 wrote to memory of 3124 1296 powershell.exe msedge.exe PID 3124 wrote to memory of 3496 3124 firefox.exe firefox.exe PID 3124 wrote to memory of 3496 3124 firefox.exe firefox.exe PID 3124 wrote to memory of 3496 3124 firefox.exe firefox.exe PID 3124 wrote to memory of 3496 3124 firefox.exe firefox.exe PID 3124 wrote to memory of 3496 3124 firefox.exe firefox.exe PID 3124 wrote to memory of 3496 3124 firefox.exe firefox.exe PID 3124 wrote to memory of 3496 3124 firefox.exe firefox.exe PID 3124 wrote to memory of 3496 3124 firefox.exe firefox.exe PID 3124 wrote to memory of 3496 3124 firefox.exe firefox.exe PID 3124 wrote to memory of 3496 3124 firefox.exe firefox.exe PID 3124 wrote to memory of 3496 3124 firefox.exe firefox.exe PID 4592 wrote to memory of 3928 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 3928 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 3928 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 3928 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 3928 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 3928 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 3928 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 3928 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 3928 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 3928 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 3928 4592 firefox.exe firefox.exe PID 3496 wrote to memory of 1308 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 1308 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 1308 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 1308 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 1308 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 1308 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 1308 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 1308 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 1308 3496 firefox.exe firefox.exe PID 3496 wrote to memory of 1308 3496 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe"C:\Users\Admin\AppData\Local\Temp\9b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Roaming\1000026000\c155236b5f.exe"C:\Users\Admin\AppData\Roaming\1000026000\c155236b5f.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 10124⤵
- Program crash
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\1000030001\d176c2925e.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\d176c2925e.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 10124⤵
- Program crash
PID:6772 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000035041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffce268cc40,0x7ffce268cc4c,0x7ffce268cc585⤵PID:856
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,5575530509408646400,3132372637250839812,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1916 /prefetch:25⤵PID:1488
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,5575530509408646400,3132372637250839812,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2204 /prefetch:35⤵PID:4728
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,5575530509408646400,3132372637250839812,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2264 /prefetch:85⤵PID:4936
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,5575530509408646400,3132372637250839812,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:15⤵PID:6088
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,5575530509408646400,3132372637250839812,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:15⤵PID:6096
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4036,i,5575530509408646400,3132372637250839812,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4060 /prefetch:15⤵PID:4788
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3784,i,5575530509408646400,3132372637250839812,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4632 /prefetch:85⤵PID:1140
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3680,i,5575530509408646400,3132372637250839812,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4644 /prefetch:85⤵
- Modifies registry class
PID:216 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5260,i,5575530509408646400,3132372637250839812,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5276 /prefetch:85⤵PID:6636
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5324,i,5575530509408646400,3132372637250839812,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5332 /prefetch:85⤵PID:5576
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4852,i,5575530509408646400,3132372637250839812,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=828 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6196 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffce268cc40,0x7ffce268cc4c,0x7ffce268cc585⤵PID:660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce25146f8,0x7ffce2514708,0x7ffce25147185⤵PID:4976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4705257756254973219,17871680967805721706,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:25⤵PID:220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4705257756254973219,17871680967805721706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1056 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,4705257756254973219,17871680967805721706,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:85⤵PID:1456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4705257756254973219,17871680967805721706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:15⤵PID:5336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4705257756254973219,17871680967805721706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:15⤵PID:5344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4705257756254973219,17871680967805721706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:15⤵PID:5972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4705257756254973219,17871680967805721706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:15⤵PID:6124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4705257756254973219,17871680967805721706,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4904 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:6156 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffce25146f8,0x7ffce2514708,0x7ffce25147185⤵PID:1836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6550918550351869771,9728619728018517840,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:25⤵PID:2220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6550918550351869771,9728619728018517840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3124 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
PID:3928 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c252a1e9-a2c9-4ce6-b8d1-f80af5e66ce8} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" gpu6⤵PID:1308
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33d0f4f6-9eac-4591-b627-50a8de02082f} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" socket6⤵PID:860
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2796 -childID 1 -isForBrowser -prefsHandle 1020 -prefMapHandle 3248 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab195fa6-9972-4f35-b576-8461a9d3dcbd} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab6⤵PID:5884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3836 -childID 2 -isForBrowser -prefsHandle 3160 -prefMapHandle 3156 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f37fb6bc-3560-4c4f-a38a-065afdd98663} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab6⤵PID:5312
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4076 -childID 3 -isForBrowser -prefsHandle 4072 -prefMapHandle 3612 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee1bd220-61b8-4b07-9162-453da86f570c} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab6⤵PID:4272
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4496 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4568 -prefMapHandle 4280 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f30bb0c1-180f-4a90-a1a1-c0680d65e11f} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" utility6⤵
- Checks processor information in registry
PID:6692 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5948 -childID 4 -isForBrowser -prefsHandle 5940 -prefMapHandle 5976 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89ad0e24-2511-4e8a-81af-f17be35590e6} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab6⤵PID:6056
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6092 -childID 5 -isForBrowser -prefsHandle 6100 -prefMapHandle 6104 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1a2bc35-065e-4dd0-a1b9-4fdf942dc254} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab6⤵PID:6664
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6288 -childID 6 -isForBrowser -prefsHandle 6296 -prefMapHandle 6300 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2c516cf-4863-4e58-a226-7e1fb17c4841} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab6⤵PID:6212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2484 -ip 24841⤵PID:2412
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5980
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:6120
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:7000
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4840 -ip 48401⤵PID:6948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1584
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1828
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD52c76afc5a2c5731743f37706c1fc87cf
SHA17e9b3c33b0e65d011882eae9d8224a3f2e30f7f6
SHA25677fc781aa22f91c1beb606634a96088bfbbda95c1c2f08b679c281f2ffbb2dd6
SHA5126cc81e2569857200dcd7f7c161536e9dd1fff4c9fb993fdc58c7f86b79b064713001de5d6af01136b4666439ce16532626559734549150408c8c101601ed8683
-
Filesize
649B
MD5455b59fab71095a28fbac9db4a55f378
SHA1dde7828d86e2a1f6cad847e7696354cd02a27fea
SHA256fdc3725c10cd5c447fd63bdea8dc1aa06196f63d27c7cdbec6b38b14afb800ec
SHA51274ead52fad8ee5d26f48506562e29333a6254c5ebb03fb4ccbab8e1395a2740c3844763ac63357202071016d7cad5a61faac17365a090da5cb07eb7d17a1ffe2
-
Filesize
552B
MD55c3f4d2cedf2f7fae344e382452d01c7
SHA192908f4b6a9d560fd11554f94aebf5d6f68cfd0b
SHA256bdf890d87f564f90d6d0191d7f228947954ebb585702e076832a065b05e0f309
SHA5121899d43c612b0f76cde08fa77b096db910480f7cb97bee8af9a713472e8229e06a3fc842a5c69183f90f33c14b3f81b370b00055e102e4e74f8b03940cafa8d1
-
Filesize
4KB
MD5533433dd4994f70512cdc0381cc61afa
SHA13655aca63f178c3fd030acf6f2c6e5265d79d987
SHA2568a9c08fdc081a3b78e50b948f47054b73a213a36bbb33d8074b3542c46489142
SHA5127d8cbba221490e21e02266190c030b0cd6eb82c77d072e0731d07f5ee0dfd35c30534c4645e6f6f02a5ef02b454e33f831b4b3ac10ba1848829b7f4548deaa45
-
Filesize
4KB
MD55cb21ce0ff8e3cdfa84f21a9e556daa1
SHA1b7263e67e7309f484865cc58ac5a6dcb2a45c2a6
SHA256e8737f69588f5127d45288cc13dc60eb4a76b989f5b323e820249fdf63cf6bdf
SHA512ef40f3c35a60ed13b6bee45d49ee760510f289277d3d9ab4384bd6d6e2f13ae5f7a8284583c5f8935de95ac07fdcd3eff5eeb743e2239a3b3a80f48c427993a3
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD5dac2c18bd29b01b488791c90133b6a7b
SHA16c30c496ba9a527e59fc6312c4aa7590462b5eb8
SHA256c2a48eb602d4fe8a761c709380b7cea89668e6cff03b11924df2f2b15c078469
SHA5126246bfed1d8ebdd604a39c0997ca2a53ae1621be65f46001150fe2227b2b52041690db90e81060c02820d6923c5fad0a17d49fc1374a05e1cb67583d2f23cbe1
-
Filesize
524B
MD58df8345a1e5f8aa26c0ccd70d8f874f5
SHA1ac05a9eed4a0d81ee2aa81e6ce37b6263f5bfedf
SHA2561430f70ba19274216eb23e20ce2a161e48de712aeafc493d8e4237e7f96be12a
SHA51263a2c0ceb0a551a575b8622f9c95a8b9491c0091ef4f29e174a919c2f5074c6db989cabdeee6f248fdc19b267cd4a4a86caa9347233415827b79a4d4e7f70b68
-
Filesize
10KB
MD56f4c14624b4a9e40dcb7ac0ffe5c27fd
SHA1885bec8a8cc5189241f17d04c3a9060f36bf6db3
SHA256a5623356a36b05263928e76add1e0db443e9cc289fbe9e65e8cfe8198ff13117
SHA5126f7187805250019d6f2534601ebfaec579060e373b1733ed5eeacd76d3f4bf719c13f864fcd107d52ce1d9a0552cfad5b607166d8790bfa9fa1ea63d640d760b
-
Filesize
10KB
MD5f3e8d8e1917bebc94ab927078f85a65e
SHA12409978e437618342bc46e945ee83688f0380580
SHA25608cd6b83a3301b066a1711c0cfce9dae18d4dbb596a8a281c4171545736ae035
SHA5121ddab7300a59289ffe874406e91759f164227e5cee285a5ccf1e1834a7a631ecf867fde1684ff498b7a8cccd551ec2d8dd45d7fc216693137fd2f1530d538239
-
Filesize
9KB
MD50a890e8b77482dfe5c2062f75f6379fe
SHA1336a99bd32231ae685e775d723c94a4fe347fee8
SHA2565ca2fd630df77d721c179381d508251f79c5d9703475894dd2ea80ab7ee43d88
SHA5126aec83cc302d1528a47b8e2dffbf0ade72297f2785225eb5f78ba09b9c42df4c9f488dcd55450a4cbe105d2cd49b2ec6f78b9ae5d0ae906b75c82f63370cf3c3
-
Filesize
10KB
MD5958008bdd5a81b979e3376a75b44c759
SHA1a39d1fe5eb198779e96d2049ee8b28bcd06e0541
SHA2567a477ebcf658a31d81eb64d728b939ce508b349796d68a2b72b7d51390df80a6
SHA512f3571e20cc11b821e5cbb145fcf30123e21596af464162226b20dcbea8ce5651304f3df908078f2630d3a669d91f398543c372b6c6d514e3566ed375b5c685da
-
Filesize
10KB
MD57030b043a7883c043bb4a5ae57648527
SHA1ef5835f70c834a9fe2f8d6a098d75dcbcd3e8797
SHA25652d4b08da561a49448ceefad787bd024b086e8dfcfbfa1736f4e59925cde382d
SHA512eb06b03baa21874eed2c190c68075665a66af3fa9b23b40da738fcd3c7baa1c0a3c90e6346d2522b50c3fc9bb8953ddc193d34ba0bb7f0338eebb70729624f92
-
Filesize
9KB
MD594cddc2dc1268e10ad375c14e1113347
SHA170bb0d146fd4ef7e1420bc03008990d19fa9c760
SHA256866c2ec27567ac372968dac4a6b636395105531a948eb82388c9962b78d6e08a
SHA512c9529e0711c3f2370259aea28cfd3e52fe0e22b05e68963b7272adac603abe963db55a453056a1fed91a21f0676a2ec7721e9fd9a1fe86082b921c3fd791843c
-
Filesize
10KB
MD52b93a7b5fc169a7c012abf3fa2c5a082
SHA1ec7f4d8d47f9c431a0d2deb2055be30d4710db74
SHA2561b1936b08801fac65c50ec05cb7a31747981fe794d9456a3d1bf332d33f8628b
SHA512c0c869637cb85c3a1c401f62187e2b9f9f16bbd24e192d5a807ddabc04aca1cacaac5df2397260c72750ed8b78cc4727afd993da78cd08f860c566135805b747
-
Filesize
10KB
MD575cecfc564f40306690e01f7fd0a6806
SHA103e7c6ebb8d42fa5bc2bfbed0f16681bdb05987a
SHA256125adc02fe7ff84da06c5344f35d0e3cacfb4f6ac10a54bed2b2afbb7ae12855
SHA512e08ae0925747cb2808abe8d1eede531545e1cc02c7023b0cdd953b23349a897fdcfa0730badd103640a59bdc6abe98f778cf1bad2f0d0c9e7f2fc04da3535a96
-
Filesize
10KB
MD5cc242f8d9c66aa6b3c4c3f1f975099df
SHA121a0695963e37196c4faaa8d97b426d4995c7298
SHA25627b0117c86471247f98caabde36238e809d587ed1cd6674cf011e75b9404d736
SHA512cc9531d552e0e6ce1eb6b05d3213cd3a5d8689e840f5a7eeb4ac21c28f1f186c69037c78ae1ba40b4a55f19379256582e4f9b568df0df96b2ff271a10e0e7619
-
Filesize
15KB
MD59428a3a8b95408ee9cc4ce8842ae3b5a
SHA1bc742a853cce14bd32e43ecd8fd843b49dcf9d7a
SHA2567418e2518a132c8349c91a4adb8aab336f672b67f26e85aac41270468cb35f3f
SHA5123302e8ec2176f2c24172848495f970a22e4c8a88a1f043bd44bcf36be3f17a4267f683568c4ee079de495fd113de159b4251de7eb750f114779c688306fe2b2f
-
Filesize
205KB
MD57ec87c179dfba2e776dd7f76ebb05e08
SHA1a293e642e87613a5b0fcce898cacdcc96950778d
SHA256eff4f7b9ac91c71b39a7c364de5dbb9c5be790570cc9ef00c54d65e1b6c797a4
SHA5125c3234cdcbc78c693ce4cbb845abbb8f62d3ce27229473d9e17e987c64805915a97b4547f8a416d606e57cd1d71b45a7496e4777dbaeb5e3c48939ed0bc09079
-
Filesize
205KB
MD5ac2e22f0ebf026b15e56d9dedab9f8f3
SHA1f0a75ba2c3f67e4021c41c2192dd86fdb81b4b1c
SHA256ad8d82dbfbc194ac7b5c40caeac2d1ff45fc0b210af278f801058dbf3036e0b8
SHA51232f3d2330df76d163ed7c3bca20fa4ceeda562e9dd9aab381491d5ceb9edfebef83145e6327cd408616cc2da96001a5a67359b2200e052cf3441e2b5cf80cb39
-
Filesize
152B
MD59b008261dda31857d68792b46af6dd6d
SHA1e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA2569ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA51278853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10
-
Filesize
152B
MD50446fcdd21b016db1f468971fb82a488
SHA1726b91562bb75f80981f381e3c69d7d832c87c9d
SHA25662c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA5121df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31
-
Filesize
51KB
MD5f61f0d4d0f968d5bba39a84c76277e1a
SHA1aa3693ea140eca418b4b2a30f6a68f6f43b4beb2
SHA25657147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc
SHA5126c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487
-
Filesize
32KB
MD5e6fd019802e4caf75cc550b3df828db0
SHA1f8a85e905b071c3b4309c345e52ebd60f31778b9
SHA2569a4d03b9c6e9951eb4b28e4d1137d395ffe902e82a5713c9e5179463d5351f25
SHA5123439e2be3a5146362cc0ac40e9a5c1c55887be0177d7fe5c6b4cafdc3a17c52c72055247dd8bf7d6d0423f816fb2ec4df1b69d222a3ade8fe023fb8b3eaa5b79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize504B
MD53852c39d13a465d226f228d432ef6ce2
SHA103bff3c52b25a2a1b96cba995e6a019b42750d03
SHA256a1ae11399462c973160c412818015a6314441f54c72451caea45a0ab39ace852
SHA51247030eb369445da1bdce4c12f7acae01bd84461ecbb9c69f0baa663abb1a87b140cdabb2b41071b8aceb17b6f91fe63cd52e1ca09a1c0e9c304902c421fbd6a3
-
Filesize
1KB
MD5635c8f83fcbab12727af36d2ba8f4bde
SHA1a0f311134e8a5885fb465f984c49f59fba75876c
SHA25647df5920ace9feafbecb65b2e3530aabc41b13b7f63093018204670ac6bea2c5
SHA51237101a8dc499ddc83b717aed41407f61eedc0376728e2a8f355ab165fdaa2b639729af6d2dc0a2371e83704bc4371fd18efca2db61563d7ad3d308811e5a07fd
-
Filesize
1KB
MD52e50e8466da82b925de4ca856b760d21
SHA16df00fea304843cb708c66346294582e70d1068d
SHA256ea59d2066871d383f5945e7d1bf7345e5487c89bc0af70237efbca76693f727e
SHA51229a4a7d113d54661f50daeae2baff6af94a4d142f3249d9d61d1b9043a69449506bc0d11cb60c28c60320cd40330e957c8531c8f110cb57235742b8d1c862a44
-
Filesize
5KB
MD5fa67212cbb8ae1fb4624c735ed0bbfaf
SHA1274468a7cdc5fb7af64e80a9b2674c7aea336cef
SHA256bbf5393bb2ed6a7dcf40abb71986e01dc3a457780eb92da4b941a4c273f36956
SHA512ce5f16ef1caabbc356e4e2f855c15876fab117fd4e5110e3c5ede59c043fbfce90e9af5323c9557d22ee7ab4814c149232e22810eca120fed4fe800c71524cec
-
Filesize
7KB
MD544f85613d02cb77fb07c1612929b8ead
SHA1d8b9a4a29716ec68012449864abdd0d2a8f661f8
SHA256b20b1efb809fff9e33d83f5c60b0effd2a9d72b4bb71940514a1a9ac7c17e40b
SHA51296d358ed55d5ce4612bb0b6b0e8b6fdf653994502abf9b4ff3a6f91184aa4630fe61c97274a845ae34ccec2b6147c8deda83e0720d208e1ea978e3bade5ccc3b
-
Filesize
539B
MD5d5c96895e79cce0431c31475c557552d
SHA119641f650929f1070d1857d2f7acb28aaa6ff244
SHA2568a3c98e1bc25259df1ce40ff0be90f64acc7ee54c2aaf62f948d0c6a263b95d7
SHA5129e63fcd336f21b534f2512147e07707bc755741cb2e399da294f0a0f13928de72794d7807fce62ca67011b3ca1693b244ad20fe4d7c1e0435a2cdcb09558ea09
-
Filesize
539B
MD562c387d974d8ce9947d4c9a099b329d7
SHA1f6646a5025fdb9725f7cae468657468dce1c9d44
SHA2561c9163a0791418a0595eaf773ec45da0e20a2e3e3480c3811dd2d60ef963c0c3
SHA512770c27bfd37d0057ca6d804842fcb6fb7cfa2f6956f558945de3b00b31e8d5d6691239de7ff890c71d6fed5be387d91df9ff29fa3c53348dd6d28df58b2dee87
-
Filesize
10KB
MD5e1a079b8d09a117b3ccf494d4d871bef
SHA1bb6386606f6b0baedb975db6b2299926b9f98de1
SHA25607652b10805c1038e3a61ce374b9116d3a4a64a57c4da090a8d31eb120ccf86c
SHA512a3651239dc969ff16ce21db05d932a21d0a64aa4cbf825d87c8ab6567071972aafec20a546e0191dc3cbc52b8e71a5c40abf25d154c8cff8962c21a8734dad3d
-
Filesize
8KB
MD5553121bcaac45951d956c58785780005
SHA15a8aa1e97958eb6ea8fa34ab65727e560240c202
SHA256a5a394f58fc819f7a7f8ea4cf3cc1eb47570864b343e7efe0ef14ff41f7bc563
SHA5123bc47e448dd5b17744ad4876310b8fb438eff9d1c481b8494e8442fe949ba1b1bac2d717d32efc98b43cf4a5b5f2c1734f9c12721bad89664e2e30bb79e8329e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json
Filesize17KB
MD59d6f1a414125fa53c37a5c22a7f837fb
SHA1df1c8fc84298cc4f690bda7bc609d331ef0be1fa
SHA25650580113c8eb459527304d8cf02f727ee4371d609cd8cf86a3ba8e41c18ba38f
SHA5125390fcb39d013d9050f45ba15a443afbab4a880ccbdb5dcd046d33bebdd22ed380e7f492490e4bb0d5f934e7f0f609e4367c67689131b46eae00413e9e9989cb
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\3F6BAE390F7FB4267066C23DBD35348B57989359
Filesize47KB
MD5dd5f59ff378185fc2586116ed3b6e38c
SHA16eaf3332c410c219bde6e64f13aaa6cd8aecc8f3
SHA2562963978d2f5d974d02b62f9212efe9a854ae52bae247f2514324c95c3227e72b
SHA5127202a5932474bb39fa9277346fe8a841a005b3bf22b7357ea368ef67aeb9c738235bd898c63eeeec1612d342e45a85c2448e195f61208ad80d2db8b1ec39bc1f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F
Filesize13KB
MD5146f6f89d6510f9eafe48a2070a12ed0
SHA18b5f741df4c1e4a5011a1493669ebd47c7905f79
SHA256e01f2ee158763258fe74bb8006e04f79d4f58d8f2e02175e65bc11426b7ee27d
SHA512f57d42ba4ca486b34d70f0fe717ee8603329b96e99c8314801fe60c964055a7d7232e3ec8fbc881e02379d6d1ac77fe57ab59556749d30fff414a525470fae6d
-
Filesize
1.8MB
MD5fb715bbfab832a6a7b4e05fc94a74b88
SHA1b2f10e8bcd6e86d52d2e40d45fa79801e45cc4bc
SHA2569b79444f799b4643e0332ee52281b406639cc9b7e63c61f7796d1fcfa56c5377
SHA512448ff097de5c6bb92ed9fa4e09f303408729f14b7156bcf4fcb2d6fa8b5859aa04cbbaeb8791e9cbad6ab437cb5e86e582b715a07a13142215341a8ce8c3f9d5
-
Filesize
3KB
MD51f5ac0c26ba396b7af106e48db46ebcd
SHA15b504936cf427af26479bb1c0ec275a2fc77270a
SHA256280d4f5ce7d8f2a3551ab509ad321971ff8eda76dad33ffae5b8961070209cef
SHA51265eed3f167c83f53b7e2474dd5b2ab58c7dc7ddedbe89fafc016cd1441dfd02e5c92de3dfb9e2f0ca98b8f438779868999e3212ef64210fde27072e7ad64f68e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
389KB
MD5f47cc7dc355ae01926f6065316c3bd68
SHA16b575930185f216e4fa5116fdcc8906eb9f53af9
SHA25625741e3975370f8b2c77513a0941ca4263a83ec08e1203c9dd7cfd5c18474794
SHA512cf076a077130b8dd48f3e27a6aaba411a6c8833ab8b926c99fc3fb66130694db1ce668103c44aba6196705a9722b68da16287ea8a63ffed250bcf92bba68154e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize25KB
MD54ecffc4e27e885c2e80de3ac34db87a3
SHA1d5799cfd1d2d3b0becb0bdbf2d2091c9e6303fa1
SHA256a3d378caaab4e9cda0c6bce0905d890980e6f9dda187529e287e8d5c0afe928a
SHA5123fe6e63cbd9db3861f45e458896cf70dfb82cf89609ffdcb98cb9c5033672897ff43a088547ea1101a44d7b39fc328c36522eef4312ee2653b03c2a6303a846c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize6KB
MD5043b1567d4fac1f8f2cd12bfdc35a071
SHA1aea07623240184f3b80d75c6d49ab9a8ea07ae5d
SHA2561b42927e121e3c718602346163e446e0f6d9b82acc4ee04913a639823ca69e08
SHA512c9fa423476ebae8959e473bcbd3b4769f82518521d3631ac93f0b3dd7a098058a1fb052168edb326ede5b6ecf84a38bffa5ca63a0e51d1bd93406169fd712f10
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize10KB
MD5bc2742adfb0d073037c32f1bda1825b1
SHA16bbff91746228cdb7fa5e9d61ae00930be6722e4
SHA256257e79b3fb943d5b8c62fdbe6a30178c88a108dce217a5c4a6f041cf59b4371f
SHA5121b60199f1f3bf6ef8074410daf42275b38dc4221fbd23e861de2e6a39ae9de429e2a26ec7062edb42115319fb5e71af49845319940a6b5faf05bb6b59bc78963
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize20KB
MD59b337ff5e9234825dcbae629af4bb3a5
SHA1d83d6dc4d8805820b933cbbbf2c6f9519ae7cd5b
SHA256fb05240884a97de5cd65f157951eb3091479786b6f27cbd4803a7a10110f6eda
SHA51239f40633421826da5e0c4453cf78178d2e16dd1e59ecd4fbd7099984ac5abe937f64c564a0eb98f4aac17a0c6d0f002f5cebcd0d3a3355ba0c98b93ba60421b1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize23KB
MD55595c6414e68ea83eaf85592f85305a8
SHA1ada86ec6f64817cce40a7aa169f55ed39c36f336
SHA25690132f789079d863219d9b2a4633e3f08953addaf28f9fd89338f1ac926ff7ee
SHA512d1c3dfbfb86d56b7daadb26f5347b0726817405bd006eb771e593a00fec0d33f949aaccc144b1b6424f56749e4dd903e6ecccf8ee3cba2aed9d550be5f8a12a2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize14KB
MD5cbae572bb10570b2d3f9a310f53f55da
SHA1b3b8c7ead5082b13ccec321aae78bcf7ddcc8675
SHA2565618e93c2888880b8fe4fff698fee9dfb7b8b68a410a444ae1bb3b571ec4e607
SHA5120880600a9c253501184aa80b82366e749204d4afee91b44e1067b05285aac23a424eeb3b0615d5dafd46b9a647b33b6f1ff0cc962989cbfbcc3d4693ada94013
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize14KB
MD56663c4bb235e6253bc224f6434ea9b93
SHA12d7eb240e0b983928ba1c71cc109fd15d3798a01
SHA2560edbcba9983efb48cc0bdf5826e58e4663c594cddb3cf1a2c3b8b8bf23e85bc5
SHA512b993ea6281be2ff9c03635452aea53f419d8485f2fcbeb91d2c4bc92516f9cfadc9ec01e6682a1b80161ad37dc0e0ce7725c51c567f96e67ddb6caf2dbecfe9d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5307a98f85fc562a888c4bcfbdd30cc04
SHA186aaee71a988f98c274103ae42cd294bca99f5f9
SHA25689197f021c6a11bf2b39207264c9f4d69c8225fb205ef38097cc2493a0a71883
SHA51225fd2d2a7b82c5fed7365413d1ae0bab1e48a4e2ebec2e1238ceba15e4c29a4856fae647a4af5319ec923117038262ed8ce8fc14116af59a52f56ba8ca9cc99b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize3KB
MD5bad1cd68e4916f3387a54f94270dceb9
SHA144c514d110e96ae08aa120f999055e8d67e6aa8e
SHA2565b8b6a9de558df1c3137fdc1a5ae94308c77c58ca153facf62268793051b938f
SHA512f332855e70d3165a2fac6fed8adef480d936c0983160fec6e35d19939408939eb49a340279bd05edda652f2e90253565274c2f31324d266854de5f9967740302
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD53f1f271a2d7d176708856351006db17c
SHA13ceb1071cc60a79c4b2c3c1f4a05f690bbcb3699
SHA256bd82da91a1b960967ceea3b552252172affe02463e4dce82973a88c57de25f13
SHA51279edde7d6265c7545b6cda04a2411b98f09c4756c522d33aa8628885ac12d601b8f42558dfdb60c2db363326a717baa814c8726a85d4ae70eecf9bf3912c8372
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD544e5237219391d709ae1d383e50cd4eb
SHA1e9401a17988717c1d650bf2af5e1fd8db4a4054f
SHA256d1f70f3247420742e2fdfb8c79b2acbe28a624eff6f8620baebc5ee848d12aef
SHA512fe368eb6a9fc4a5d728f64c4af47ea6c27ebb4e56a48dc58c826f4ededd32d98d0bc597600f1983e9eee5de6c5bb444e8117b25bbc3afd8a4283e79e7150934e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\1ed23821-0ae0-491a-bb41-8c5df1c8fa77
Filesize671B
MD5d0b0873ee4043c18069096d213011d19
SHA11a800701871ad00766a96cb84f0a5d630cbb8949
SHA2564c2ef279f0e5390762ecdfbfdf59a37ed3714d67bb9356337ccc4b16b0043315
SHA5129c6ce269b95a8feb68a5128227aa748ce3740a6e16725f17adffea690811e91292bf03beb256c3debc812c87054709e0accb266c6364090dc72789353950750a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\6d355a2a-4351-4e9a-aeb5-8db6c5a2eaaf
Filesize982B
MD5d8c7ee92da4b9b68fcc7d043a912f25e
SHA148bc4d626c6154b4e382b65bef08572d8d06063a
SHA2566203ed34a9da7de16899ad9561554469915fa06d3c5b6acc6bf74da515262f39
SHA512dbba81e8fec809b1a5a441d2f74d03bf1029ebe1bd404806b384e4e0b9d983881b5e567241fb03801a4da2a7180aee173b92751b85aa99f7ec2add6c72269389
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\7a7ee295-cd2c-4342-9ade-24efe0d31ad1
Filesize27KB
MD57eb6248deccd462455e2b84ac92782ef
SHA198a830c82608c8007f484d20ddff8226ed3eb04b
SHA2565ce2d155655efdd7280544fb1e0e9447b68178987f81180069381c13bbdd2cb9
SHA512176a2b1d62e3d94978cd6f377b3bc4da0910487af9ba4bdc712ec5027f5dda064bcc854ac9a29c7d6207d55bf695158a00adc784f8a4fdadc7bd873083c9e19d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
14KB
MD5bbe025544bdddf62a76eca40fbb62ee6
SHA14e790b4184eeaa03d084be5ebab4be9d3d8fb534
SHA25684fa115c6dc5dbac5e2b01e1463a58f4a0b0c08ca96611987551e722f20f39da
SHA5124699e2fde808e5e15e40c129daa04b8b3d689358cce4a1dd1333f542bc2c2451b00f57fca871949f0f106691ddce6f77ea70b8b754367e556b4008e798625612
-
Filesize
11KB
MD5c15e6b15c1e98722758ab6e1cf5fee3d
SHA101aec7c3d6a550cc40383a6a5357f6f885accb00
SHA2564457369bf975a3f8943a979cf84be1718e7b7d3f42322bce7f281e5e0a2ef6db
SHA5127800c15e222e36ddce10560c3ce691c6e5fffd283a9f4d13c0faa83a5a01cbe3d8ec8ddfaf6a260503e282cd7358f999cdf1440f6b8d7b6f90d76653b8ddc3f3
-
Filesize
11KB
MD55f82d6e42bbd81e681b35a907483002c
SHA17a9366d2c2cbbff64b0187267c46a248e428d10e
SHA25619d2bd7bcc8850ec39ddb8c6a524e7aab883ae66f3fdf16c3b11e9fc3a73162a
SHA5120398d938a32c1d18391fcbbaa595b11c504cc5ac5179ab56c63ce906591cac248a17e3000deee26dcb7e367cd077fb155f02f8c21fedacd2037cc428e2b69e18
-
Filesize
11KB
MD5bd82d40dda99f9c488ed28397a15f47e
SHA14a1ea3c91b94635e67b41d5de80088359b173aa1
SHA2562c6258552253a90755a0e06686068c94eec798e1a1ec6368a64ab40be788bf78
SHA512d75835b774eb5778f576ff76aa338306183c9bf25b4fcac52c935305996e3784de8dd3401b3a890290df283f8c623573c3dcdabc4ebfe865ff55996b9982cd71
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD543cab902c4e0a1355b596a3d3105ea23
SHA18b38eb117d565cdf44138932de7d9cf325eeab6f
SHA256610ab6326719939d36da9965b909f2bff24a3891d5d7f3e22e803c357d0d03de
SHA5120f7a5e36c22c0de401791586f18467e078cbca6ea1d2599cfc15e269b0cf5a9ce4b0c1f3801478f4f209353f038633727fc5055098edaf73fe201eae22bb9b56
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5def044dabcfadc323a1e330e11af5fa0
SHA185a53129afba7f9c959c796637ca4950eb7d489a
SHA25678ac5e685a152d7cb9ba8771763eb20a992006681565ad9a4cb62069b0eef9c2
SHA512527af85b953381f0d029ac3519b6c118348345051f1d0884202ac381e6495b71c674a2a2bc56a3ad9101f5c2e7f99385cbaa6b3cc45b18a526731a7b20df1cac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize376KB
MD5338ea86ead3bdc42f13d17d0619b999e
SHA1a4c8ca6f61301241b6b46be310dbcbca0a117d59
SHA256056b4d1953862455ac36ef76bc5269d837dfcf366aa99fced53976807131198c
SHA512aae9f2cb132e27e0673d87661fba902a816892cdaa225645a226cf0f7b15a1f19168c99f133daf096f15dd267a2eb7f248aa3f80adfefc914cce0c495e0982e6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD5e1c78baa219ca5cffe2541c855948b32
SHA15ab5f26696147e8b73cfe317dd3f1809140c4e0c
SHA25600adc62d2be34cca56d424dd0ac8634299e38a61021157f2d40989e73ffc1908
SHA51263ed76fa616be8f29085f87027b184d3f7b558253bd0559da9c3caf5cce4118db20878ba3bf3d727e8dc0aaf629731ff6ab2364464713ed48c7465f0650221c8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e