Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-09-2024 11:12
Static task
static1
Behavioral task
behavioral1
Sample
abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe
Resource
win10v2004-20240802-en
General
-
Target
abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe
-
Size
1.8MB
-
MD5
339004dd3f0e7689908bfe8f0f275de7
-
SHA1
3e095a60342506e00a7bd7ab9001b4997105c7bb
-
SHA256
abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4
-
SHA512
f71822833f56fa77a9ac61a7e4803f58f5ea32f5f43264b260b171f8d1e541f8604989d1074a899d6b7923c9a6d667ce41528f17ffacd946ed85cc40b306157c
-
SSDEEP
49152:DIjYAssbpJb5Sx9DwZ+OMKsOdeYWn63ZkQAkcoxNi:sjYAsopF56xwZ+O5Ne163Z5H
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
svoutse.exesvoutse.exeabe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exesvoutse.exe11ffb6da61.exef37d681551.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 11ffb6da61.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f37d681551.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exesvoutse.exef37d681551.exesvoutse.exe11ffb6da61.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f37d681551.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 11ffb6da61.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 11ffb6da61.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f37d681551.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Executes dropped EXE 5 IoCs
Processes:
svoutse.exe11ffb6da61.exef37d681551.exesvoutse.exesvoutse.exepid process 3500 svoutse.exe 3528 11ffb6da61.exe 4568 f37d681551.exe 2700 svoutse.exe 5336 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exeabe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exesvoutse.exe11ffb6da61.exef37d681551.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine 11ffb6da61.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine f37d681551.exe Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\f37d681551.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\f37d681551.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exesvoutse.exe11ffb6da61.exef37d681551.exesvoutse.exesvoutse.exepid process 2044 abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe 3500 svoutse.exe 3528 11ffb6da61.exe 4568 f37d681551.exe 2700 svoutse.exe 5336 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exedescription ioc process File created C:\Windows\Tasks\svoutse.job abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
svoutse.exe11ffb6da61.exef37d681551.exepowershell.execmd.execmd.exeabe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11ffb6da61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f37d681551.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exesvoutse.exe11ffb6da61.exef37d681551.exepowershell.exesvoutse.exesvoutse.exepid process 2044 abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe 2044 abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe 3500 svoutse.exe 3500 svoutse.exe 3528 11ffb6da61.exe 3528 11ffb6da61.exe 4568 f37d681551.exe 4568 f37d681551.exe 988 powershell.exe 988 powershell.exe 988 powershell.exe 988 powershell.exe 988 powershell.exe 988 powershell.exe 988 powershell.exe 2700 svoutse.exe 2700 svoutse.exe 5336 svoutse.exe 5336 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exefirefox.exedescription pid process Token: SeDebugPrivilege 988 powershell.exe Token: SeDebugPrivilege 4696 firefox.exe Token: SeDebugPrivilege 4696 firefox.exe Token: SeDebugPrivilege 4696 firefox.exe Token: SeDebugPrivilege 4696 firefox.exe Token: SeDebugPrivilege 4696 firefox.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
Processes:
abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exefirefox.exepid process 2044 abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
firefox.exepid process 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe 4696 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exesvoutse.exepowershell.exefirefox.exefirefox.exefirefox.exedescription pid process target process PID 2044 wrote to memory of 3500 2044 abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe svoutse.exe PID 2044 wrote to memory of 3500 2044 abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe svoutse.exe PID 2044 wrote to memory of 3500 2044 abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe svoutse.exe PID 3500 wrote to memory of 3528 3500 svoutse.exe 11ffb6da61.exe PID 3500 wrote to memory of 3528 3500 svoutse.exe 11ffb6da61.exe PID 3500 wrote to memory of 3528 3500 svoutse.exe 11ffb6da61.exe PID 3500 wrote to memory of 4568 3500 svoutse.exe f37d681551.exe PID 3500 wrote to memory of 4568 3500 svoutse.exe f37d681551.exe PID 3500 wrote to memory of 4568 3500 svoutse.exe f37d681551.exe PID 3500 wrote to memory of 988 3500 svoutse.exe powershell.exe PID 3500 wrote to memory of 988 3500 svoutse.exe powershell.exe PID 3500 wrote to memory of 988 3500 svoutse.exe powershell.exe PID 988 wrote to memory of 2988 988 powershell.exe cmd.exe PID 988 wrote to memory of 2988 988 powershell.exe cmd.exe PID 988 wrote to memory of 2988 988 powershell.exe cmd.exe PID 988 wrote to memory of 2668 988 powershell.exe cmd.exe PID 988 wrote to memory of 2668 988 powershell.exe cmd.exe PID 988 wrote to memory of 2668 988 powershell.exe cmd.exe PID 988 wrote to memory of 2348 988 powershell.exe firefox.exe PID 988 wrote to memory of 2348 988 powershell.exe firefox.exe PID 988 wrote to memory of 2232 988 powershell.exe firefox.exe PID 988 wrote to memory of 2232 988 powershell.exe firefox.exe PID 2348 wrote to memory of 4696 2348 firefox.exe firefox.exe PID 2348 wrote to memory of 4696 2348 firefox.exe firefox.exe PID 2348 wrote to memory of 4696 2348 firefox.exe firefox.exe PID 2348 wrote to memory of 4696 2348 firefox.exe firefox.exe PID 2348 wrote to memory of 4696 2348 firefox.exe firefox.exe PID 2348 wrote to memory of 4696 2348 firefox.exe firefox.exe PID 2348 wrote to memory of 4696 2348 firefox.exe firefox.exe PID 2348 wrote to memory of 4696 2348 firefox.exe firefox.exe PID 2348 wrote to memory of 4696 2348 firefox.exe firefox.exe PID 2348 wrote to memory of 4696 2348 firefox.exe firefox.exe PID 2348 wrote to memory of 4696 2348 firefox.exe firefox.exe PID 2232 wrote to memory of 2680 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 2680 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 2680 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 2680 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 2680 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 2680 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 2680 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 2680 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 2680 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 2680 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 2680 2232 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe PID 4696 wrote to memory of 4612 4696 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe"C:\Users\Admin\AppData\Local\Temp\abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Roaming\1000026000\11ffb6da61.exe"C:\Users\Admin\AppData\Roaming\1000026000\11ffb6da61.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\1000030001\f37d681551.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\f37d681551.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4568 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account4⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb90e537-5ab1-48a6-a61f-c3232f2d81bf} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" gpu6⤵PID:4612
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af8bd459-c96f-40e5-bf3e-f5770ef67bab} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" socket6⤵PID:2920
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -childID 1 -isForBrowser -prefsHandle 1680 -prefMapHandle 1676 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3fb4ea0-575b-4d92-977f-529e383f8c8f} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" tab6⤵PID:3728
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3748 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3720 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {876a37a4-924c-429b-8286-c1d1190c2347} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" tab6⤵PID:3672
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4284 -childID 3 -isForBrowser -prefsHandle 4112 -prefMapHandle 3728 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcb2b391-83a6-4f42-bcac-9ab5771897f3} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" tab6⤵PID:4060
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4772 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4748 -prefMapHandle 4756 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b9524ec-a321-4dcd-b8bc-bf2e04f98355} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" utility6⤵
- Checks processor information in registry
PID:3976 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 4804 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2653c47-b9c4-4764-a800-5fb7efbfcc62} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" tab6⤵PID:5652
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 5 -isForBrowser -prefsHandle 5776 -prefMapHandle 5784 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {551290ce-8462-49cc-83ed-32ed3a90b3ec} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" tab6⤵PID:5676
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5976 -childID 6 -isForBrowser -prefsHandle 6052 -prefMapHandle 6048 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {248ee527-5652-4ead-b548-6102767ccfbc} 4696 "\\.\pipe\gecko-crash-server-pipe.4696" tab6⤵PID:5688
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd5⤵
- Checks processor information in registry
PID:2680
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5336
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json
Filesize26KB
MD5772135cf6cf010ba0fe257e193b533be
SHA1c0e17f2c01cfb4977d91d0b6b08f733083ca829c
SHA2563d0acea60299ba03c7c8ad4117176702e60958eae2948fe9d534417b766589bf
SHA5123c8a2eef0a3d743d0f4a2daabd304f420e1a2411f091198cee14234e271a27298889f0d8367f84ca44f8042b269a483d9e66a07a29f476e1787b6c25f7d07d0b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244
Filesize480KB
MD5926e4fcaa860d559206cc201f9842e7c
SHA13c1ac691c0788cdfadee70351952725332dda53b
SHA2563de8d761aa062fea50de53a713f3e175ca20ca5a378f31677ea32252828f21e4
SHA512d065a7ef09001ea9a6698325a424b486e1ac0a6cf9019292da694f0cee1e43960eb44a07e58e6c0330b15e58106f21ce9e10a3a570d4f851fc3051585dd9a820
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F
Filesize13KB
MD5ae4ab54a2648cd933c203b73827ef977
SHA1df81ea2c978a3219864ae98a13374d456bc9eb3a
SHA256f08b75db449941b6c2f8e890829a5dfbceab563e2ca696b9bb1f0069f9f32746
SHA5126e0616a1702f1f63d558ac10a7997a344c18e1da5823185e444f4b19a011f3cefd8e202e9dacb7dc4e2097dd1982b510eb44328aa57d013d2abeb20af0a2d907
-
Filesize
1.8MB
MD5339004dd3f0e7689908bfe8f0f275de7
SHA13e095a60342506e00a7bd7ab9001b4997105c7bb
SHA256abe7e20ac9c138c3226eac7681fdf927f61e9267c8f3edd3bb181fe8a587e9e4
SHA512f71822833f56fa77a9ac61a7e4803f58f5ea32f5f43264b260b171f8d1e541f8604989d1074a899d6b7923c9a6d667ce41528f17ffacd946ed85cc40b306157c
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
1.7MB
MD5250051046eae3713ed1af118169d9227
SHA166ecbbeffdbb6bae912fc9f21b52faeac7b73d49
SHA256c1d2816e557482077a88b8e23581cd82a92dfca70fd1e7ceaec4ba3adbd7d136
SHA512a9a49aaf7e56466ec9cbdf86564ba5ad875d8233f12b26c718dc163dfb7d9e139891e5a422eca933e41c3bc19d5dc62d47606e23019fb0cce8f281a981a82d1e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin
Filesize6KB
MD5fc38a59cf5daa2b9e67ea0d98222dbf6
SHA19b300c26520ca08e562469713aacd96cbf6466c2
SHA256fc99de14201f81b1648c9ffa69427b36b5004cb24328c4cda5df5ef19eaff3ea
SHA512d89a53b660347615ef30d3af69716bf04d13abec09bde8e8b124ce9c15ba4bd3d18af1d413ee774b060f728422026e68c3a3f6a7fbecaa9b4d0f11166a2cb17d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin
Filesize7KB
MD58429f864a16254ef25c5b8745af39921
SHA1804cae2e8053f7f8968599751f15f2439ebd523d
SHA256c3394a2bb8b8e92325a03018b932a6e350684c77eba9b5825a458e6fab41012d
SHA5129d0995700fdfb989c68c80e0306beff820d534984a9ab1976093acadab86029cbd16061d1d50fa58831cec0942d09b243d7b936f651d0506b3d85a87af312695
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin
Filesize20KB
MD575a29a507501121b1afdbf4d709f26a6
SHA1cd336ef2bc38be9b827afb5fd08b7907655b008e
SHA25631e2937e0323eb863aa1bb4211e58abf5f9e626fee383cb690114696ef8e6b27
SHA512a30d3d15dc988714a6f2f0dafc55d8dca88359fc809635f22b4e6cd42b5e9d636c249cae491b4830bb3c2c391c18401601cdf07d1632b42117df3ddb09700fef
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin
Filesize23KB
MD5fd5cf9067d6a3e2cf50c94c03cf46bb5
SHA1910bf754fe5828823c899cc15fe83f3f073326a1
SHA256d456309cf2aed318441c17164dcf53a9da6fcd949369bedd9db6a0b358cd6c30
SHA51202584ed730d505f5061d07a99065f9fd2a42de3fa77f11c35f6857573757f2c33adb5da7145c51e30970402cf4c0c7ed9d36a0de9a8855287d28a4025754dd3a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD52a9b08e9edc6b1033590cdf9b8cb4236
SHA13059218d2c20f295c6e2c2b39c723afa5f9c7f13
SHA256513cb4dda58368a527518be8e0129405e8776e59ac63f7fbb1faa7cdb09c2652
SHA51256fe37f6b70d6aee64abe4c68de323cc563971afc4a2f2e51fe39169c802ed34b86261289f02fe80a506aeb4b999e872c226a203b47ef312fa80108b9686e484
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize32KB
MD5be13aee8c6858f65c8e9f8cf851f808b
SHA1be35c48302406670fc4180b0ebd512f2079ab871
SHA25614a1fe0195c61b3097d69024814432d528f6e8b19a32b558bf9e1e13eed68178
SHA512a4ff04ab8aee8f3a38901f75f4f075de5309b5724ada36cef71064aec89a363b8933d501df9a9cb21eb45cafbb42dc553ede09f3859acb72ce6985b25e257349
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize32KB
MD59a92fca74711b7e182d5c06440d33af0
SHA13c11353df695922eea23b496314a76caac7bd438
SHA256dcbb5dfc6ccb1848b5effb05f883fdbdca51a72380741f58893d50043b01ece2
SHA5128a1adbe701fcda1e5a392b9ef90d735aac7008ecfda236a6dd9fcc7c3d6dd413afea2f6b4711bdced2d6c87f8968709e041e85d5b9c8d6e394a7f3c214ad0a8b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD57268312835d3f2ffef9e8b0138719ebe
SHA13f53f84b8f23f94b92128ee435a2381dc4f33c43
SHA2564b02d8b8f0f01328f8ed133ce2d6c315458d8fdc66e24d576af173e1a4605972
SHA5121f68ffa2f0b43f585a403b78e3052f70c696a710006becb420f9d0436a9f350d174b778048f668e203c012f8b74f2a6ee2dde30d593b0746fbd2323f119df37d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5bb4549cf4ca818416e8c31d102a4c7fe
SHA1af9666dc9838100bd8375be1566a7c1288ceaa1e
SHA25604afb380a4ad28362d8677eb25436810e15840ed7c37c264e2e408db8f0a6890
SHA512dae2d9b3fc14e7b24c770c510d3eda415a336b36334fa076e349cbb51a544d27b5460cac547ed36b4600d460233afb395eeebb92e29c86d63746c51ef08e116f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD55c4a19e847a211aa9e38298262343663
SHA189df6adf740e4ed7be606bbec9f9df3963c8581b
SHA2567eeaf13b21fd0271cd802c313fa6d2460959abc1a96f61cd815ed097d510d8e5
SHA512536f8e69f54a1be33f982bf03370e5a95063f50929ea1dbad0992ed89bc0162b049c93fc6a9dd5d6dfc8824e0cdc053f0ecaec3e8124d3db7bd3170864964d49
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\7f2c0acb-61f6-4204-a7b7-849a36aaf478
Filesize671B
MD552726bb5f085d15f16ff097ab4f846e2
SHA11c68ad54f17c134b32ad65a3327e463259108b5b
SHA256aa74775b0f6061be2cba1ea270579cfdae7aff40ca93a1d6d1f27cf84f0aaa49
SHA512487fdf2e1399473c00d485ac30d7e9d69740495a6e53d0cc4c3561062afd3802c3b44cd6c4b38f637787ca8147cf6e7e226d4804b9a41d128468bfd8233ae3f2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\9383ccec-287b-4592-ada3-dd743c0c7892
Filesize982B
MD5615513e3f264cec9af2b924ac7901814
SHA173d1db9c1f49a6c4787d538d73ee9937179dcc98
SHA256f2814f08b427821cda28fde9ab5c8df3be891f6804fdbf1730b9da35e1bedef4
SHA512d47011e77fd5c9048a47eb410d72cdefd3e53b20686e08057c94c59c02de71d852115418272fe91f9947974acef5e712e20bf6bd161d8f38ac3bf4a3e4df3dc7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\9c2e2357-7250-4c98-85c2-af7576a44da8
Filesize25KB
MD56372aa9031da3a306733a056d832f425
SHA1f3967c1019fc63538b867a50c33da0d0b2afb496
SHA2562cbf2ac024f60568fd6fe6e18a9c3be02f15cc66d42bc76717b919c352d1cb9e
SHA5126fcde1708234e18a728fb74b581be274377f9cba4b0fa2a27b1f99998785528acded7aa77eb6322099d6ab3a9758176fb4b40702a45f0b01cc15391610399b83
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp
Filesize1KB
MD536e5ee071a6f2f03c5d3889de80b0f0d
SHA1cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA2566be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA51299b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e
-
Filesize
11KB
MD5e29157a56eaee0a48edc3f2699c954b2
SHA11513602296a8f289b7a9354b83fec5733ab29c0a
SHA256882c93eeb7d65a0035503f12fd3bef4e1c7679340c28020cff12435e3a5116ac
SHA512e5efd36518f1e0a919c0d400cffda9c17cd417abacc82c5072dfc8f654cc0800dc52798dae77cc501f2337c8332f69b4cf6b023c9a8d3c053b527a5e14c7ef14
-
Filesize
11KB
MD534ad6caac7b0c5734d15270a857a2b5e
SHA1ccfc000c716953f68d3ce8878ec2ac665be3e74a
SHA25635156ef3a49a22ca7c347f48646bc2ba8960caa968a12e84d51b4d1a98f3d37f
SHA512833739c0179ca80d8c89973f61654799657f98f167f48767d68947598d7d6214f98c7636f3a5ab4bf002a489ec3c10a838d9aace4cc76ff473b0faa3ba664d37
-
Filesize
13KB
MD5ea67fd2348ef285a63cbd96180cf134c
SHA1328865971517719d96a2b2287bcb3ecb22fb5409
SHA256ca15b3df1ee37d906608860e09aa6c157ec8cd1bb970c5ceaa268668c3471195
SHA512c3c3c8ce3777177cb3881a6f1d39cf1bb2aa5d6dae70892df4ffe422e96aaef96c9504e6a7fc2c36f39f63ab93bd4b00711992fb4465705f7683ae8d474aa22a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD5f946af6815a8dede179e81213feca186
SHA15a6d7cf16494c095be74c5541a18a63fc3c2603f
SHA256b5f4c0a59285806235fb16d4dfedcf0e6078ca0011ddf33f187f5b8275f4b646
SHA51228664b17c2d155a040845d8f280445065461e7bb396ca8bc4689d695d2901febda2dd738c51240d3cfb0896a2f9d4810978d8535783c7c2427a3176b63cdfa7c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD51ed35173bd9e6ddc55d36f6f78da99a3
SHA13372e3ca8ddf287127d37926511948d89d2b17d6
SHA25675eedcc840a64744a67a70373c4f43f1a18dd9eb59935fbe1c6ace2fd4e76d07
SHA5126a78fdd24fa883ff1638dd128b99b4b895619d3814bc133b84a4fcc44458448ee5777a2fe91e80a3dfa492e7e664840c6f81c2107529fbb6f6a1761410df9fd7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD5c4ca13314191700053b1ec9ed5f361ed
SHA15f4ac5a7925e88edf4e2c7987a24eeb1728621ea
SHA256fcece7509178478463690f920230639c85649ecae83021195df81895df800ed7
SHA512860245622e44d6aed2bbd4d50972d8a70d005324550c289961d31bbea702961c45806aa8be5631b3605224a2b7b048a3eabd4b0fb81d51f6c29991ab28d1121b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD590cbd26765e981e80a25a184813c85cd
SHA1bad4aae511417b15c8de6913283fa9a08e5672cd
SHA256ed773fc0fff3499a99df3a5dfc06caa8e60efd3a72a26e0f502e74367902215a
SHA512906dcb1a0e9b73ee0e2876e58402ed0cdcd2a7b1056fb62c55870c8fe6dca17f33a549c0a55fcb8c97379059990823aecf710de0e0158986b9609aef9cde0a7a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD52b9aec41d37332998443b72ad70b3f98
SHA141b81239e7b57320bbadfcb77a9ea3eb412f6c65
SHA2561da2cc2a8ca25f26d1192f92f42bd4ab7029b4a3278007a064151567020404ef
SHA512ad53ac0492eb7bde2058d74b4a8b56bf8364b14d7e9aa867b775426d795fdeda02b73bf83ea97bf38cccb0e32e0fb82f77355eaaddfacbe49fbad1228ae9525b