Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-09-2024 13:30
Static task
static1
Behavioral task
behavioral1
Sample
146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe
Resource
win10v2004-20240802-en
General
-
Target
146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe
-
Size
1.8MB
-
MD5
cd268fe44f4a06a4caa51942c12ef363
-
SHA1
31bb332e14111b3142c93c9637e1e7ffdd1c6362
-
SHA256
146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21
-
SHA512
6c78a753ef4a76f05381bd98b9d0c9b4ea03848ac230a5065f7f2edf5a431ef186e1997e6f20c9702938d73280d2dd29bda7ba89f96babe221ff7bf0029b471f
-
SSDEEP
49152:dUyqn8VVapJOovHm5pm7L1xNhCWfthS0HOmAS8woZM0:+ln8VopJOovHm5pG7FfDuu8S0
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
svoutse.exe2b04ce22e5.exesvoutse.exe146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exesvoutse.exe4d71cb17f3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2b04ce22e5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4d71cb17f3.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe4d71cb17f3.exesvoutse.exesvoutse.exe2b04ce22e5.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4d71cb17f3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2b04ce22e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4d71cb17f3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2b04ce22e5.exe -
Executes dropped EXE 5 IoCs
Processes:
svoutse.exe4d71cb17f3.exesvoutse.exe2b04ce22e5.exesvoutse.exepid process 3360 svoutse.exe 4492 4d71cb17f3.exe 4388 svoutse.exe 3444 2b04ce22e5.exe 4652 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
2b04ce22e5.exesvoutse.exe146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exesvoutse.exe4d71cb17f3.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine 2b04ce22e5.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine 146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine 4d71cb17f3.exe Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\2b04ce22e5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\2b04ce22e5.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exesvoutse.exe4d71cb17f3.exesvoutse.exe2b04ce22e5.exesvoutse.exepid process 3688 146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe 3360 svoutse.exe 4492 4d71cb17f3.exe 4388 svoutse.exe 3444 2b04ce22e5.exe 4652 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4d71cb17f3.exe2b04ce22e5.exepowershell.execmd.execmd.exe146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d71cb17f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b04ce22e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exesvoutse.exe4d71cb17f3.exesvoutse.exe2b04ce22e5.exepowershell.exesvoutse.exepid process 3688 146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe 3688 146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe 3360 svoutse.exe 3360 svoutse.exe 4492 4d71cb17f3.exe 4492 4d71cb17f3.exe 4388 svoutse.exe 4388 svoutse.exe 3444 2b04ce22e5.exe 3444 2b04ce22e5.exe 2540 powershell.exe 2540 powershell.exe 2540 powershell.exe 2540 powershell.exe 2540 powershell.exe 2540 powershell.exe 2540 powershell.exe 4652 svoutse.exe 4652 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exefirefox.exedescription pid process Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 1056 firefox.exe Token: SeDebugPrivilege 1056 firefox.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
Processes:
146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exefirefox.exepid process 3688 146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
firefox.exepid process 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exesvoutse.exepowershell.exefirefox.exefirefox.exefirefox.exedescription pid process target process PID 3688 wrote to memory of 3360 3688 146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe svoutse.exe PID 3688 wrote to memory of 3360 3688 146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe svoutse.exe PID 3688 wrote to memory of 3360 3688 146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe svoutse.exe PID 3360 wrote to memory of 4492 3360 svoutse.exe 4d71cb17f3.exe PID 3360 wrote to memory of 4492 3360 svoutse.exe 4d71cb17f3.exe PID 3360 wrote to memory of 4492 3360 svoutse.exe 4d71cb17f3.exe PID 3360 wrote to memory of 3444 3360 svoutse.exe 2b04ce22e5.exe PID 3360 wrote to memory of 3444 3360 svoutse.exe 2b04ce22e5.exe PID 3360 wrote to memory of 3444 3360 svoutse.exe 2b04ce22e5.exe PID 3360 wrote to memory of 2540 3360 svoutse.exe powershell.exe PID 3360 wrote to memory of 2540 3360 svoutse.exe powershell.exe PID 3360 wrote to memory of 2540 3360 svoutse.exe powershell.exe PID 2540 wrote to memory of 1676 2540 powershell.exe cmd.exe PID 2540 wrote to memory of 1676 2540 powershell.exe cmd.exe PID 2540 wrote to memory of 1676 2540 powershell.exe cmd.exe PID 2540 wrote to memory of 5100 2540 powershell.exe cmd.exe PID 2540 wrote to memory of 5100 2540 powershell.exe cmd.exe PID 2540 wrote to memory of 5100 2540 powershell.exe cmd.exe PID 2540 wrote to memory of 1844 2540 powershell.exe firefox.exe PID 2540 wrote to memory of 1844 2540 powershell.exe firefox.exe PID 1844 wrote to memory of 1056 1844 firefox.exe firefox.exe PID 1844 wrote to memory of 1056 1844 firefox.exe firefox.exe PID 1844 wrote to memory of 1056 1844 firefox.exe firefox.exe PID 1844 wrote to memory of 1056 1844 firefox.exe firefox.exe PID 1844 wrote to memory of 1056 1844 firefox.exe firefox.exe PID 1844 wrote to memory of 1056 1844 firefox.exe firefox.exe PID 1844 wrote to memory of 1056 1844 firefox.exe firefox.exe PID 1844 wrote to memory of 1056 1844 firefox.exe firefox.exe PID 1844 wrote to memory of 1056 1844 firefox.exe firefox.exe PID 1844 wrote to memory of 1056 1844 firefox.exe firefox.exe PID 1844 wrote to memory of 1056 1844 firefox.exe firefox.exe PID 2540 wrote to memory of 2516 2540 powershell.exe firefox.exe PID 2540 wrote to memory of 2516 2540 powershell.exe firefox.exe PID 2516 wrote to memory of 4980 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4980 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4980 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4980 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4980 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4980 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4980 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4980 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4980 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4980 2516 firefox.exe firefox.exe PID 2516 wrote to memory of 4980 2516 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 1328 1056 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe"C:\Users\Admin\AppData\Local\Temp\146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Users\Admin\AppData\Roaming\1000026000\4d71cb17f3.exe"C:\Users\Admin\AppData\Roaming\1000026000\4d71cb17f3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\1000030001\2b04ce22e5.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\2b04ce22e5.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account4⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- System Location Discovery: System Language Discovery
PID:5100 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c0d3309-fa38-41b5-82f1-d312879e387a} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" gpu6⤵PID:1328
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf5ead21-234d-4b06-bf83-1c3c608cb09b} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" socket6⤵PID:1980
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3368 -childID 1 -isForBrowser -prefsHandle 3276 -prefMapHandle 3272 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28a8d416-07f1-4834-bc4a-e13962845ee6} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab6⤵PID:4396
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3516 -childID 2 -isForBrowser -prefsHandle 3236 -prefMapHandle 3280 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fcb79e3-e283-4423-8cb3-64b565fbe40d} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab6⤵PID:1016
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4168 -childID 3 -isForBrowser -prefsHandle 4164 -prefMapHandle 4160 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d612a02-a47f-44a6-8387-cf6ab3ca05ee} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab6⤵PID:2256
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5028 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5016 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20faf1ed-7fbb-417b-b8c8-1efd2bc8679b} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" utility6⤵
- Checks processor information in registry
PID:3204 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 4 -isForBrowser -prefsHandle 5824 -prefMapHandle 5828 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a70006c1-b9b0-445c-afba-d51f6b55819c} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab6⤵PID:4300
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5812 -childID 5 -isForBrowser -prefsHandle 5804 -prefMapHandle 5800 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38d63fa8-4b0a-433c-9115-2d9acebb3d7c} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab6⤵PID:2128
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 6 -isForBrowser -prefsHandle 6140 -prefMapHandle 6148 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea06112-3f51-46a0-9ded-90ab56daf3a9} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab6⤵PID:276
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd5⤵
- Checks processor information in registry
PID:4980
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4388
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4652
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json
Filesize32KB
MD5c0f17f558dc1fd46661b326f659ece85
SHA12fd9b3a64af4e0b7520a2e42d1a6036b457ead0b
SHA25654f70033268ebc28cd04149769b5fe98a0d38d75b2829c5d59ba870a392e3c0d
SHA512dc3ca97a4eed9446ec3eb599d9aee8e98e84d27bc6b3bd5399c6122d47c8ae5b86d42aef183685a65a62c6d23a5e4d7ceb8b704f08b53db9e28e1aa77f220dc6
-
Filesize
1.8MB
MD5cd268fe44f4a06a4caa51942c12ef363
SHA131bb332e14111b3142c93c9637e1e7ffdd1c6362
SHA256146aed5d466d301896ec8a90deef7df0dba1bb123ce4a269ade752bfdf21aa21
SHA5126c78a753ef4a76f05381bd98b9d0c9b4ea03848ac230a5065f7f2edf5a431ef186e1997e6f20c9702938d73280d2dd29bda7ba89f96babe221ff7bf0029b471f
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
1.7MB
MD5b7e094cbc9d971fde82441821f564d37
SHA1d33036607f717ab690a11e507420153b771ba958
SHA256136d677281759fbfcfe3b706e7de4b5a866834509ce867edbb3b6693c90f2f68
SHA512185557b9423bf9ea79e0950ae9e6ba739ad10b1a3fe8a42a54fe9edc31196ab20bc980d556bee68ddb3791763ef7c43d711bb135801866e8e1fedc246e04b8fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin
Filesize6KB
MD5efd531ee4167f56a456834b1c710cf59
SHA1bf02f6674acdbdf4ae9cb447c4046ebef444e748
SHA2566a5e8f8463f152eb95e3fd2aaddd4f77b1efc90c539276bf2202c236cb18c434
SHA512b6f7cc26f80d5cc17ea34d165a7c123505370edacb077dec972ddd2a6e0455539586e229461a4995859a2f583f5d807d8a3400461164a62b3689a1b6741871ce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin
Filesize10KB
MD5e61ee59086b2298088458fbcdf0ac105
SHA1f15c015fa6a9f3514629be3dc992b9daf3b0d3d1
SHA256a24bc834e303c1391f8d8755dc0c97cf3063cca03fb5f372820099654ffbe7b1
SHA5127e22e6ee336995bf4d6478f85d5c5392dd37ae3160436b3dcd56d910904d2376e7694aab7a37ccb3966de1858eb9ff3370deff51e84a0309df69536c3ce1a40d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin
Filesize12KB
MD54002ecfa04e68674080ed980a6551957
SHA1bc5c372f17a2dfbd6b4d2b31c6cd61e7d3f2ae1e
SHA256b3efbe0e32b74b423661fdd121d120a52aa4cd8bd4d9eb0d14371e8f0c2b3deb
SHA512448aeb14d6dc92f3a5d37e8c3cb8e2317edb3fd5b461fb3912779714ae3fc2237d1ba7e7e5544025a9fcc8efb189aada5acba94b9343091c289cf2629ab7007c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin
Filesize23KB
MD5eebbb7292ad0d0f452e4e118ce5c985d
SHA1daba64196b2ca91062af30c3b12a3d8807ed096a
SHA2566a6fd44e5710be36b3859f55da447c85e42600d7b00a09415a21c1b96a322bbb
SHA5127dcdd11953e67694ac476ea47db455c4b50f3814e0e9d013460e4cab7b4755b8d8af2e11a13ed648fd6ceef048a530ffd8923c77c7cf60dad1b6eaa91e9ba310
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5e2bce00150fe2f6ec99218c71240cbb5
SHA16dd014f46818a083ad6eb44cb2f7e1ba1c8c46dd
SHA25607102f1baf4594431a620e5ad34ea5c787b98960b1f2b7cf32792f455675ef4f
SHA51213f28ab03eb10738de176bb4c608bc482a93b6dcbe578cdd7ef09d1e272b77709d9561b5479de913cc418243dc02fa4db6afb95970dafce93128b29224b6c63f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5ef70184a920ac6896d37e35fe30319f5
SHA1a3257e1c73918885400b2d2c801c6c780549d745
SHA256af17e7e3a67d4d665f444aae6c08d7e8527e7169c9f17c667e5954a49e51fcc2
SHA51253cfea1de3cd5a920396092731baae69c6d08a9926c60196dd95713afb4d41327b00b2611ef4529699344c4139aca9d75fd9b29a86c37ecf242cf7f5e746d05f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5e006c638dac06a4b9f2b5941c447c88e
SHA18aa9da35b5d7c5e94491a9cc48f9c5ec3f3424bb
SHA25675bb2d72d6ad4174a6ae859ac9269b0e722ca946743661e5c4ba43520462998f
SHA5125301b0f7786e4eeb567606ac55cefbce325dcd89fee2984ea4d2c76c2d244787a8d0631f8678f60cd038478edd7eb58e6cd838d4ae104ab0cec792a39ad14217
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize31KB
MD55089db24578a0c7b06cb78fe80df43c7
SHA1db5d6916af67ce21ceb40ad05675f39dafcbfa60
SHA256bbe9ae9d45ef251d20a32d8544b24233a4cb7a8bfbcb02c68334e693fed67486
SHA512c52be1682ad9b020c61d566d23ae9e5075afbde35530c91f5c57130fdbacf7baf44625bed03c8dfc722778a33c1383049296ccc47496efcb2fd5fe1368c52d24
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD529c85015c45be1d9d3fb828528e9f0c1
SHA1a3221cc80d128463c60c9c4027203eb52416343e
SHA256b907d1d039d7ed14d3c08e2d934cbcd55bcbc58b3217a98e9bc8df9bf539599c
SHA512e7fbd6fc50635fe89e1970a9ed521c8e8e10500dc1525aa53536b8e91d26527f4ea6c4ac588ce4562b66be9542a8888b73f3bfe431220adbb1e0c004747d8755
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\146b1be7-c146-420c-9975-c0d8b294a374
Filesize671B
MD54643747c251ac9c646abbccbf2a4edbe
SHA15cdb0dbf780fb895298ca192e62c8620b911bd92
SHA2564333e0544dbe2397869b61879ac20401bde330a50b8318ad3900026aaa3eae52
SHA5122d52c054e2e1fffe33bedbb9fa91a11093afd689bb37c10590195f07ccef7096b16362bfd9e9da348800d23597ae797cd5fe6e9e214b6088399569ef94974bb9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\4a13a65a-2500-491b-a3d4-fed6736282f6
Filesize25KB
MD5c00933795973f9b3c8444c068da5b210
SHA1c973d5697c3d495190025d240b0df0a1cbf06574
SHA25655084e3d602bf2dd5f226d550859ab86ac4bb9bca938977b38abfcf1985ec8e3
SHA5127f9b883ba514ff05c527a1b608165544d62de75e9f55ba1229e06469b931103bab4c487a8ca860d18d1b8131cdeb716d6235a289e362a9c875a175ff1eb19b91
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\b172c7bb-dd9c-4d80-89b8-5fa9840e8a9b
Filesize982B
MD5b162ce4d3229ab1ddfbd827946a482c5
SHA105bcb11917eae9837a22680e3a540c869da301aa
SHA2560543d6f482d8f0211725fcba0436d0e29e2416a05cc5307d5edcbbf7d8b7dc2c
SHA51277149a341a1e63875fa0bdf7c67e75570f13be731dce7625e7b903610a4ac3ddea0b7898ed176ec3392e5f3b7266016f509b6686a0ce8844c826525eea52991c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp
Filesize1KB
MD536e5ee071a6f2f03c5d3889de80b0f0d
SHA1cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA2566be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA51299b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e
-
Filesize
11KB
MD5efbe4e7e0fa1d84c5a1eb8c7845d617c
SHA1616450f93507de5575df83152da02928182111b5
SHA2561cfa203b601b5046fa984616872e26fd9de42a5fd7f88c5e1341366314bc8ecc
SHA512932028af28066dd8c173aa44b28e238db213b8f52a4d48894520297790f737a52aab2d1d9f107d4f826420f55746d72f3bad14ab4c7a71c070b258442e94fca0
-
Filesize
11KB
MD595c5effe8c737457f4ad2187f019f4d5
SHA1979005097e478c46723a483371121d71ac297bfa
SHA2567dd78a49858228543f948bd3970fb8730ae3934d6a44cb7bd0502e6665fba280
SHA51255648416e9e24a9347f3448df06443016517b65f10195084773c482e08d7317442088e53a58d2f86777515f30b7c3be50874204882fe339e04ac60d5568a4421
-
Filesize
12KB
MD54b4d1dcb036b1df4cff3a970fc22438f
SHA1d3216373c398fa6806b5688872148b506699e963
SHA256beccf3cb29332d256cf8da8156b5d73d865a05e5d64064841417f7b6a43cb580
SHA51251c77ae2c5208b7129e0268ce56b3191fa30b174dd4a2a351e730bbdc9db6941e2abcedb40592d858e55bf72fd4723304f13bce7b93e14d1f4e2dbeced0d6c74
-
Filesize
11KB
MD5a3d85862c6c0acc9cf48325c879b91a7
SHA1d993732195060af9aa8eb6fa80550a1ad99efd5d
SHA256dcfd67533f011d4905633dcfb63f32182d3a27247bed21f077eeeb2b728b4030
SHA512496df97b1be966964ab8984bce46f6550201cd8154b28a08fc076effef19881cb6ebc153ae4f148ff133a5fe6d9794fefe54d1ec06ecdc4b4ef7ce60610223b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5bd80084a621ca72faa02cab24b95af71
SHA1d013ca3c94eb299ccb07556784b50b47c4668030
SHA25655738e1f6cb353e51d30bdb5df33df1a540a8471458422726b4ada6187d64657
SHA51242a92fb1c83f3d58da7c66f3d5860c2981ee59c216f9bac6f7e87b1182082b0a472864ab14ce4a74825c64d72ebcbf8b35b1407237de4ab7fd4c1041f3a67c4d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD5af7bc9271dd3e259f547cff80f8d9ddc
SHA10a9eb5d8f8d111ed13d466be6f5bf8485a4855b7
SHA2562288745e4754e8fc95bbb907ae92c4bab0dd49266cda25dc4c045d242fc5fb63
SHA5121fa3a430f7972d388a1d7ca5d6ed1f3073e325184dd9ac4ae26dcc3b54137c4fa00fd726bfe26a270724e7327bd19ecad7e937da4e9e5609342ad10affaf1de5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize376KB
MD5f62d5f10fa6c604324723654cc13ef39
SHA15cd1e9f0364099ee32d783a731a47912c9716577
SHA256643c64596269c9d4d3ab1eca336abe1b5c974ae563942892b74ae7563c0b4815
SHA5121900ec3eff09a4ef085e56df1703734446240318fe30cdefe4c18edcd40ab4598b9943cb24915612c92f3c6fcd3a1d90e4334ec5aec4ac0a8242be254e6b29f2