Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 16:22
Static task
static1
Behavioral task
behavioral1
Sample
c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe
Resource
win10v2004-20240802-en
General
-
Target
c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe
-
Size
1.9MB
-
MD5
1de49b3fdc9ea2b75ab877a135a0c515
-
SHA1
cc6b677a7199fe6c5af084b6e2c23e31ddd02997
-
SHA256
c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76
-
SHA512
e7a46814c972927617af62ee8e394e7229a2423231cbaacc1264f2c1d0c48c37bde88956df2fdcc51b4be55540ecc4d85441552be79cacf4e870fc1d1b699be5
-
SSDEEP
49152:YsqxitZ1NFVxTgItlkJc9rjI9jnzCfEIT6Uyz:YsqxEZ170ILBij6nT6Uy
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exesvoutse.exesvoutse.exec720fda6c6.exef3c1328951.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c720fda6c6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f3c1328951.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exesvoutse.exec720fda6c6.exesvoutse.exef3c1328951.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c720fda6c6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f3c1328951.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f3c1328951.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c720fda6c6.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exesvoutse.execmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation svoutse.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 5 IoCs
Processes:
svoutse.exesvoutse.exec720fda6c6.exef3c1328951.exesvoutse.exepid process 4208 svoutse.exe 3764 svoutse.exe 2340 c720fda6c6.exe 4384 f3c1328951.exe 688 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
f3c1328951.exesvoutse.exec100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exesvoutse.exesvoutse.exec720fda6c6.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine f3c1328951.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine c720fda6c6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f3c1328951.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\f3c1328951.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exesvoutse.exesvoutse.exec720fda6c6.exef3c1328951.exesvoutse.exepid process 3764 c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe 4208 svoutse.exe 3764 svoutse.exe 2340 c720fda6c6.exe 4384 f3c1328951.exe 688 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exedescription ioc process File created C:\Windows\Tasks\svoutse.job c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exesvoutse.exec720fda6c6.exef3c1328951.exepowershell.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c720fda6c6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3c1328951.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 2 IoCs
Processes:
firefox.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{C17978D4-C08F-4C9C-ABE7-B9C8EA1F054F} msedge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exesvoutse.exesvoutse.exec720fda6c6.exef3c1328951.exepowershell.exesvoutse.exepid process 3764 c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe 3764 c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe 4208 svoutse.exe 4208 svoutse.exe 3764 svoutse.exe 3764 svoutse.exe 2340 c720fda6c6.exe 2340 c720fda6c6.exe 4384 f3c1328951.exe 4384 f3c1328951.exe 3052 powershell.exe 3052 powershell.exe 3052 powershell.exe 3052 powershell.exe 3052 powershell.exe 3052 powershell.exe 3052 powershell.exe 3052 powershell.exe 688 svoutse.exe 688 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exefirefox.exedescription pid process Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 2004 firefox.exe Token: SeDebugPrivilege 2004 firefox.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
Processes:
c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exefirefox.exepid process 3764 c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
firefox.exepid process 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
firefox.exepid process 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exesvoutse.exepowershell.exefirefox.exefirefox.exefirefox.exedescription pid process target process PID 3764 wrote to memory of 4208 3764 c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe svoutse.exe PID 3764 wrote to memory of 4208 3764 c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe svoutse.exe PID 3764 wrote to memory of 4208 3764 c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe svoutse.exe PID 4208 wrote to memory of 2340 4208 svoutse.exe c720fda6c6.exe PID 4208 wrote to memory of 2340 4208 svoutse.exe c720fda6c6.exe PID 4208 wrote to memory of 2340 4208 svoutse.exe c720fda6c6.exe PID 4208 wrote to memory of 4384 4208 svoutse.exe f3c1328951.exe PID 4208 wrote to memory of 4384 4208 svoutse.exe f3c1328951.exe PID 4208 wrote to memory of 4384 4208 svoutse.exe f3c1328951.exe PID 4208 wrote to memory of 3052 4208 svoutse.exe powershell.exe PID 4208 wrote to memory of 3052 4208 svoutse.exe powershell.exe PID 4208 wrote to memory of 3052 4208 svoutse.exe powershell.exe PID 3052 wrote to memory of 4980 3052 powershell.exe cmd.exe PID 3052 wrote to memory of 4980 3052 powershell.exe cmd.exe PID 3052 wrote to memory of 4980 3052 powershell.exe cmd.exe PID 3052 wrote to memory of 4412 3052 powershell.exe cmd.exe PID 3052 wrote to memory of 4412 3052 powershell.exe cmd.exe PID 3052 wrote to memory of 4412 3052 powershell.exe cmd.exe PID 3052 wrote to memory of 4520 3052 powershell.exe firefox.exe PID 3052 wrote to memory of 4520 3052 powershell.exe firefox.exe PID 4520 wrote to memory of 2004 4520 firefox.exe firefox.exe PID 4520 wrote to memory of 2004 4520 firefox.exe firefox.exe PID 4520 wrote to memory of 2004 4520 firefox.exe firefox.exe PID 4520 wrote to memory of 2004 4520 firefox.exe firefox.exe PID 4520 wrote to memory of 2004 4520 firefox.exe firefox.exe PID 4520 wrote to memory of 2004 4520 firefox.exe firefox.exe PID 4520 wrote to memory of 2004 4520 firefox.exe firefox.exe PID 4520 wrote to memory of 2004 4520 firefox.exe firefox.exe PID 4520 wrote to memory of 2004 4520 firefox.exe firefox.exe PID 4520 wrote to memory of 2004 4520 firefox.exe firefox.exe PID 4520 wrote to memory of 2004 4520 firefox.exe firefox.exe PID 3052 wrote to memory of 1796 3052 powershell.exe firefox.exe PID 3052 wrote to memory of 1796 3052 powershell.exe firefox.exe PID 1796 wrote to memory of 2740 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 2740 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 2740 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 2740 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 2740 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 2740 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 2740 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 2740 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 2740 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 2740 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 2740 1796 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe PID 2004 wrote to memory of 1304 2004 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe"C:\Users\Admin\AppData\Local\Temp\c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe"C:\Users\Admin\AppData\Roaming\1000026000\c720fda6c6.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\f3c1328951.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account5⤵PID:2340
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings5⤵PID:4428
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1916 -parentBuildID 20240401114208 -prefsHandle 1844 -prefMapHandle 1840 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63eda662-ec7d-446b-95b1-a4d41c3085d1} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" gpu6⤵PID:1304
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3290c965-63d3-47b4-a557-9ecc2042bdab} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" socket6⤵PID:2652
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2624 -childID 1 -isForBrowser -prefsHandle 1452 -prefMapHandle 2664 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a00fcde-299e-4c9c-bb57-6976dc653ca6} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab6⤵PID:5344
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3716 -childID 2 -isForBrowser -prefsHandle 3708 -prefMapHandle 3704 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {889f531d-2ba8-46a8-b5fe-0af55442e528} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab6⤵PID:5472
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2568 -childID 3 -isForBrowser -prefsHandle 3896 -prefMapHandle 3900 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11a2b907-8ebd-477e-9907-6fe18339a6d4} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab6⤵PID:5540
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4872 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4868 -prefMapHandle 4864 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {944821f9-57f8-4104-9cdb-1daf13e6c2e7} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" utility6⤵
- Checks processor information in registry
PID:3236 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 4 -isForBrowser -prefsHandle 5664 -prefMapHandle 5656 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52c6652e-8f3c-49fa-b2ab-71713cff76b6} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab6⤵PID:6096
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5900 -childID 5 -isForBrowser -prefsHandle 5892 -prefMapHandle 5888 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99c40c13-c657-48f7-993a-72684613fc87} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab6⤵PID:6112
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6076 -childID 6 -isForBrowser -prefsHandle 6068 -prefMapHandle 6064 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15f960c6-7c2c-47ac-94aa-968b476b6465} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab6⤵PID:5136
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd5⤵
- Checks processor information in registry
PID:2740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:81⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4632,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:11⤵PID:760
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4952,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:11⤵PID:4136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5420,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:11⤵PID:4716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5472,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:81⤵PID:664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5580,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5588 /prefetch:81⤵PID:4572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5616,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5788 /prefetch:11⤵PID:3328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6280,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6152 /prefetch:11⤵PID:5284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6548,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:81⤵PID:4232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=6544,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:81⤵
- Modifies registry class
PID:1668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6492,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6448 /prefetch:81⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5640,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:81⤵PID:3836
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F
Filesize13KB
MD52c0ae0a0001d9287bd22cc196fd0ae8b
SHA13c9a3b267b04b65ef75824b98dae4001f056e493
SHA256eb95e13dd835866369a08e8a23c05f09b37f040254330245fd14eb2712f42a79
SHA51254f56e98a4dd443e145391df76c68258ca1c17e75201378b95673ddc9c8de5db3faa2edbaa23db6a3427132f267ad95b48bb8e167a0ddaadeb456d96ba68502f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
Filesize
1.9MB
MD51de49b3fdc9ea2b75ab877a135a0c515
SHA1cc6b677a7199fe6c5af084b6e2c23e31ddd02997
SHA256c100650b6bf10ab80dcf2f63ae1b5296e57d89ff1a11476ce2b34c9ece6bfb76
SHA512e7a46814c972927617af62ee8e394e7229a2423231cbaacc1264f2c1d0c48c37bde88956df2fdcc51b4be55540ecc4d85441552be79cacf4e870fc1d1b699be5
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
1.7MB
MD59f2ea8da04f80eb3da5aa70a8b0dec4f
SHA1512b90952420f05ba4e9bbc373ca739e62a09d39
SHA256f5117e607da6f40b945427386ad04ced62b3473351008eed049c3e9653222826
SHA512c05467a56476014fe6a4866e74ab0a716bde6213ce2bcf6c0eddc9b4702e5dc83d797722f4fe2adfe5bff1eee1eaae435c89113ab53935fbacb9fc760795d497
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin
Filesize6KB
MD5e182f2c751a4bc5ff06a64e61653dc9a
SHA19ee6cb9f0beadce14be58bda7935adc589480de1
SHA256f6d6018e5d7ab675d9c878dbd850d6bfa8bca368608b8774a0e6c37a6296a20b
SHA512c53f6598df1a88347cf4f0a679e9cb65554f514bfaa1b42bd3493d4fdb1b3c221ba9c947ba03467088459b67a3d6efb3871e902cb697ac3dfd595c7cfd7d4c83
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin
Filesize8KB
MD59b24966b0b9a91ec7099ad8f736f2ac6
SHA12d9d5a0438c6f64a2a66b585c6f8f7ed70ad05a3
SHA2563e11dfc242d2ab474901bf5bc146bcdac78d6c3d0cf6d8219c0d4ed84930d789
SHA512673c40e978170ab3a30850e45d9df41e08fc9ab1b86dd1c1ab4ba73b73f4b193175ae8db3850bfc5795b429e71688cf243c45f85dda6f44536cf8fdaff01c5f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin
Filesize13KB
MD55c6ec8f69ccdfeb6037a2905fea76286
SHA1d5aefacfdefa093b7f712f24d92e42bf5ebdd585
SHA25620f41f6444a32c7a44eb05857d78c27dee0ae5745ee65c90e4ec666adf6d1f08
SHA5121b3699b6cfdc731f23174333771d122fdc62f85c01128938b7d358d47e294ea0560557e52ed975acfbb12d882753c736616122ca657f0efa28de8eea20f55095
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin
Filesize18KB
MD5ffc2c80cea67e1f06f45937ae2c96baa
SHA1d55c07ec1c9fe4bd3e057a8dcfecf96ab4071ec8
SHA2564e19980877ec36aebd0d791d558d2cec19d2cb1a88e4598d758d9fdccba0a38a
SHA512e7097f7b3525be52b4ce84ff235b043f5e0cb5502e9e5eca22fe607a038125431ce2085c5d919af816f603d2bfe471eccd19077889b345f2baaec74cac023d42
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin
Filesize21KB
MD50e7a922649e01b53c1e261923721f119
SHA186f1db57ce227083de1b5413a303438255ed54a6
SHA2563aaa8dddd786dff26a935d91b3f746d11bd813eedfe8594a431072efa7133722
SHA5123f9e9ed3be3eec5ee6a96afd145359b11f3d8297c22844578f28f96ba9345cebaebda2ac1a0a6a42813720075720fa983238c5bafdc9cb85c8775ba48f328286
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin
Filesize25KB
MD554a4bf8e59636b1a4630416d6c0e3197
SHA1ef9f0ca4dbaf2242bf6ed28758d3202dbda9a169
SHA2560e6c4871c4d4e61f2165b3d15c26a2b56a38eda37d1cba49c5a1c4ca2af6e9d3
SHA512d3144342d60ca4742ee8e3668da55778a494b78bb3bc106441dbeadfa5d4fcc640fef62557306a85f4ba057810c10abd6cf7cf1c88dc8f47653edb3697496c4f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD58acdc0b38820e4d8c8ced1f01a4a3455
SHA1d132a5c5072cf92f3e07762bcb8084743e3ae317
SHA2568669195a465bc13565c2e80591bc6ec23a9e70d963be99d9f105d7680b95f2d1
SHA512b2f957e1c98d758c515e8acf25c985ebea8f0f97340f045406c663866657931822c8d8a232485b6571f909adc94035569f77201acaf6df99dd1751d52e5f8252
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD54eb68bd27070938505289a76f828178e
SHA111cd09be411e9f7bb7b2171b2651b05bb2347cc7
SHA2568b1175ecdc00591d721b78bb8f71298ddbb3419b7eefbc389f5a946905d23732
SHA51249100213897fc65e33bb955168ae5d41d036e727f83889a3cc49e023ca9530cccbecfef86890fbbe25068f5a199a16ed6571bab8447cdec6982e438d368f3342
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD53512ede77f220002616fa8ff64b76648
SHA139a1d6697bd9d0694de4ef0aeb3e97a47da14e82
SHA256dc0a4743caa1ba01657220bdbfd72e9f519fd196db643fe59f091b2c1db648b8
SHA5127b538a82b3a4f3ceac449e3018aafd4337792c218fd0a46f06ee46f7f0ae2531ce2b07707960c106974e33d93fc4b38e49367002199ded5b308c322de3defe1e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\3b1a7bbc-3995-4110-9697-a7e477baca17
Filesize982B
MD5bbcbc522da226b865ea75b510194b067
SHA1492b64d49c1e7073bc7902ab39a68a5faa75f346
SHA256e909848a50d7ceba710c8accd71d50e191496080ab7550bf3ce2e5869a053a17
SHA512d061d96f527df328d8d10e92be6e6430092dfd9ec5a4d97134473a42d992ace56d383431e6e57ecefb7f270ac32c073bd024b85a334613d7d5597b745f5613c6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\5add7805-a29a-4da4-a4ca-de44038ad9ba
Filesize671B
MD5044b2abac64f15686464ac4fbd93891a
SHA18cec0f5a5024f43c22cb3b9316f5ee56eed37d5f
SHA2566223ded19694a01d2ca96dce9adc71d474153f57e99c30b272e355201ef763d8
SHA512037bda50ed90565e224bc36da25b9725a930e3e326c0808fc3aebc06f6c33120784b1c391433e23903e7b16298a9c7b0af59a76cc557f7c11c06b527df53b00e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\63377974-e8a5-409a-9803-eee71880b6e5
Filesize27KB
MD5a08ed2c5014fb6b32ef5c3f86520897f
SHA110532f8383ce1d6cc0177932beea46f2dab66813
SHA2566bd7f17da90af84ab58492d53c5d266519e9077c6cbf1d28fdfaad0b1dbcef51
SHA512905a4e440ab6c1f90c49adf14d700cbe3bd40f9d2e8d54d085a6dc31e927555828fe1f15d914045b1206fea48d794cc577ae3a890a9f28e7b256ecf487a64bd6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5227aa4d7fd37509e7f01352cb3c3abf5
SHA10a729d5c58790e544a918a8f9349878b98137867
SHA25620229743b6b13efa8def6d69919b8713e1cf9eaf2e2e33e183b52ff8e8a91eba
SHA512b267fb9560504d7000d6feefbb054833c71fade0757488dfafb553713dc00030ea25bbe0e199f7391ca1e57d85b95c34e83e694fc9ce8a2119e9b4d4186f3b22
-
Filesize
11KB
MD59b0e4f32d7cce28e44a45ba7eadd9f29
SHA18fdffd3002a145fa2f2a973ec5f1a8e631f8ff65
SHA25617ecfca09d3c94aad0c8caf7fcb31f11f715d1cc6bce38cf6484a7cf01c5a330
SHA512b062554dcb4136b1f81b4929ea2d796291ff67c93677e2d0d081153f1494f995d964c4579ee1638c0ed0f8000dede8de8ef078b26b99e20c5ada0bfa9e500d6e
-
Filesize
14KB
MD566a053af0fbba029b735330a8fc7e233
SHA181de8201daa5e8d9fadc5a33d5b38b2f88be5bda
SHA2563caf6ab1052e480777843ec0310f46ab276265714df26542af2b3fb84605f682
SHA512bf73347115411d50bb255eb7c62c7c80a470485b954eaf67a0ae94680a9655f28d906d16c9b21a77dd4db7f6702905c796ad1682f871f8fb3718f1c8dff966f6
-
Filesize
11KB
MD5580cbfcd295127a7389e671bd57205cd
SHA1be2128b38ae471b59da53bbf5a5808ae2e00ac9b
SHA25684f5a2d9543fe1839aa11d860d45e1c5b0dc5ef116a70846b4fa6ab1a7caaee7
SHA5129047a34ef5ceb33be98c22e4cef9b12ac8282152a7918990b98dc90744767c952007e48fb64ef4c3a9cdab385121084fdcc5c64ce7382794344544579513b6a0
-
Filesize
15KB
MD50e3ff9f5f5d1e4684c4798ddb360aeb5
SHA1142324efedec87d079cc7b1edfbd66ac7a6cc59b
SHA256f294e51a75f104a44581b68f49617b45c76e16e08a604a725822dc8890c3b8cf
SHA512aa6e892eaba458f94523e49565b397e384bba99f7879ce06808462cf63d37112ab678769209769f3504baccb6756a3a73f391a750eb379736fc576b09302bdf0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD5e4a97e3aa9504b863596edcfdc7da9d2
SHA1087f78c25232b9d3f34782b6565409c9dc557ad3
SHA25607a03019804f00c307e5e82306e8c5aa22762e1d24b5c7d38fd9f08f8d1f616e
SHA512223f6e1910e32ffc543a01c26ce01126fd096a906e4f31edefdac0240edce6b9012a42f270f9257cf89aeb321373cdde4115ed9900883a9c650003cf5ead9a35
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5f78da9a36a698903d7dd0ec190c0da5a
SHA11fae3f817abcd0991094cf364a64b4e43d692479
SHA256ef47ecf4951c89e546f7a80991b73dfcc9add1b262e61a1cde46717ba8aadd8f
SHA512b48e2eff4f713a050c7ff7285318115c4c1d36d9d7a74dc3ad7a42bb34d0ea0697edc61c4fbd1512e72f1a9790c4db976ece4071dce78af2f0b253366aff1be6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize376KB
MD5c7631790ff357f68f8ae86ed51ad93fe
SHA16c4e2f9cb44be8f3fc78cb178641c6e8001a897a
SHA256fa3b1ee59154f2242311b0ba4870509b5232c1c374335690ab0c897c878d783e
SHA512149fc104ab40387f3392f4d459a94c6af2a6643cc073ecb5f1a30ebad99a1b233806773c3fc6970f5c1d9bf393aaa98efba3ad089d16dd82a209dc48db2cecf8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.3MB
MD517bfab3a1bcbaf369e21ac20e497bff5
SHA12e9cedd2ee1f5474bf1038a31e4878fd3523d5a9
SHA2569369aed3555c58e35bf73a062b687fe7b41d3b4704905374f2d40bb4f75aa406
SHA5123264ec6a30c927ff5aa5ca8a049d22e579bb58ed69356e2db77b3d3e266ef06b67ca5bcfd6fb8845beaffc4c2d1d5169a85af6236549945329acd9f266ce79ac