Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-09-2024 14:55
Static task
static1
Behavioral task
behavioral1
Sample
416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe
Resource
win10v2004-20240802-en
General
-
Target
416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe
-
Size
1.8MB
-
MD5
ccf7de51b317996803c0ce2b2643db99
-
SHA1
41714678c993ef55bc0593383b7eff9e8b43bfb3
-
SHA256
416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef
-
SHA512
5672f9cc1c120dc2e35a2e99c6261ea33b36d7c21b88dc27dc4ec733fe7df38586dc63fbe0161888d122a22a8768c856f26c5293f47f0657174dbb4eee90a395
-
SSDEEP
49152:qwlE3HI4/C1FFYIQgbNbLzjFR5cRjLqOF:qwSHa1fYP6Nzo
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exesvoutse.exe416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exesvoutse.execmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation svoutse.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
svoutse.exesvoutse.exesvoutse.exepid process 1356 svoutse.exe 4744 svoutse.exe 5044 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exesvoutse.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine 416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exesvoutse.exesvoutse.exesvoutse.exepid process 4848 416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe 1356 svoutse.exe 4744 svoutse.exe 5044 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exesvoutse.exepowershell.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exesvoutse.exesvoutse.exesvoutse.exepowershell.exemsedge.exemsedge.exemsedge.exeidentity_helper.exepid process 4848 416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe 4848 416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe 1356 svoutse.exe 1356 svoutse.exe 4744 svoutse.exe 4744 svoutse.exe 5044 svoutse.exe 5044 svoutse.exe 860 powershell.exe 860 powershell.exe 860 powershell.exe 860 powershell.exe 860 powershell.exe 860 powershell.exe 860 powershell.exe 6060 msedge.exe 6060 msedge.exe 6136 msedge.exe 6136 msedge.exe 4576 msedge.exe 4576 msedge.exe 1884 identity_helper.exe 1884 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exefirefox.exedescription pid process Token: SeDebugPrivilege 860 powershell.exe Token: SeDebugPrivilege 3672 firefox.exe Token: SeDebugPrivilege 3672 firefox.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
Processes:
firefox.exemsedge.exepid process 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe -
Suspicious use of SendNotifyMessage 44 IoCs
Processes:
firefox.exemsedge.exepid process 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe 4576 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3672 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exesvoutse.exepowershell.exefirefox.exefirefox.exefirefox.exedescription pid process target process PID 4848 wrote to memory of 1356 4848 416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe svoutse.exe PID 4848 wrote to memory of 1356 4848 416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe svoutse.exe PID 4848 wrote to memory of 1356 4848 416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe svoutse.exe PID 1356 wrote to memory of 860 1356 svoutse.exe powershell.exe PID 1356 wrote to memory of 860 1356 svoutse.exe powershell.exe PID 1356 wrote to memory of 860 1356 svoutse.exe powershell.exe PID 860 wrote to memory of 3156 860 powershell.exe cmd.exe PID 860 wrote to memory of 3156 860 powershell.exe cmd.exe PID 860 wrote to memory of 3156 860 powershell.exe cmd.exe PID 860 wrote to memory of 3416 860 powershell.exe cmd.exe PID 860 wrote to memory of 3416 860 powershell.exe cmd.exe PID 860 wrote to memory of 3416 860 powershell.exe cmd.exe PID 860 wrote to memory of 1884 860 powershell.exe firefox.exe PID 860 wrote to memory of 1884 860 powershell.exe firefox.exe PID 1884 wrote to memory of 3672 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 3672 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 3672 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 3672 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 3672 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 3672 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 3672 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 3672 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 3672 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 3672 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 3672 1884 firefox.exe firefox.exe PID 860 wrote to memory of 4556 860 powershell.exe firefox.exe PID 860 wrote to memory of 4556 860 powershell.exe firefox.exe PID 4556 wrote to memory of 1004 4556 firefox.exe firefox.exe PID 4556 wrote to memory of 1004 4556 firefox.exe firefox.exe PID 4556 wrote to memory of 1004 4556 firefox.exe firefox.exe PID 4556 wrote to memory of 1004 4556 firefox.exe firefox.exe PID 4556 wrote to memory of 1004 4556 firefox.exe firefox.exe PID 4556 wrote to memory of 1004 4556 firefox.exe firefox.exe PID 4556 wrote to memory of 1004 4556 firefox.exe firefox.exe PID 4556 wrote to memory of 1004 4556 firefox.exe firefox.exe PID 4556 wrote to memory of 1004 4556 firefox.exe firefox.exe PID 4556 wrote to memory of 1004 4556 firefox.exe firefox.exe PID 4556 wrote to memory of 1004 4556 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe PID 3672 wrote to memory of 3020 3672 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe"C:\Users\Admin\AppData\Local\Temp\416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3156 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account5⤵PID:2448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc08dd46f8,0x7ffc08dd4708,0x7ffc08dd47186⤵PID:2748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,10066899169926173284,1264493183454012474,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:26⤵PID:6052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,10066899169926173284,1264493183454012474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:6060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3416 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com/ServiceLogin?service=accountsettings5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4576 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc08dd46f8,0x7ffc08dd4708,0x7ffc08dd47186⤵PID:4772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,17720885290256933913,9020692078897535112,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:26⤵PID:6080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,17720885290256933913,9020692078897535112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:6136 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,17720885290256933913,9020692078897535112,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:86⤵PID:1364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17720885290256933913,9020692078897535112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:16⤵PID:3760
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17720885290256933913,9020692078897535112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:16⤵PID:724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17720885290256933913,9020692078897535112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:16⤵PID:4652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17720885290256933913,9020692078897535112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:16⤵PID:5352
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,17720885290256933913,9020692078897535112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:86⤵PID:5868
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,17720885290256933913,9020692078897535112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:1884 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17720885290256933913,9020692078897535112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:16⤵PID:532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17720885290256933913,9020692078897535112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:16⤵PID:4500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17720885290256933913,9020692078897535112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:16⤵PID:5580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17720885290256933913,9020692078897535112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:16⤵PID:2948
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc80dc92-babd-4e37-9a9e-a819a2f721fc} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" gpu6⤵PID:3020
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9859455d-9945-47be-a6e5-10b5563b975b} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" socket6⤵PID:3464
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3316 -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 3176 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83a0053a-eb36-42e8-91b8-dd96b21f36fb} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" tab6⤵PID:3720
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3644 -childID 2 -isForBrowser -prefsHandle 3252 -prefMapHandle 1440 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34281f26-2285-428a-8deb-4dce51247c53} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" tab6⤵PID:3280
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3832 -childID 3 -isForBrowser -prefsHandle 3844 -prefMapHandle 3664 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fca65350-552f-404d-a89e-4860c256df78} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" tab6⤵PID:4704
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4660 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 4752 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63124642-e234-4dec-89bb-4b9eacf9427f} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" utility6⤵
- Checks processor information in registry
PID:5332 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -childID 4 -isForBrowser -prefsHandle 5784 -prefMapHandle 5884 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a152fa5-858d-490a-9b26-423adb191fbb} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" tab6⤵PID:5652
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6004 -childID 5 -isForBrowser -prefsHandle 6012 -prefMapHandle 6016 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41328d84-ae30-41b3-9812-f50bbb305b78} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" tab6⤵PID:5912
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6276 -childID 6 -isForBrowser -prefsHandle 6196 -prefMapHandle 6200 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2cd4e60-f0c2-4596-b894-2ee154158b1c} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" tab6⤵PID:1400
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd5⤵
- Checks processor information in registry
PID:1004
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4744
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5044
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2232
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD57710d134e7a4643d51796ddd53978970
SHA1ab31fe63444147db223ca36291c5e3ab825bbfd8
SHA256e86dd22aa6b2c670dfb4e702670c551911f185a998bcb094bfabe5339b9c034f
SHA51207611d02e122b86dbfef88a60103c36bc8746405b280dda5657b2e8d8b122aec513a5e6c993d7cefa1aa5c2c2aaab02d0842c8ae9a5208ae6fc7ce8568b13214
-
Filesize
7KB
MD53357d4f8c81ce499f7b866e562e112de
SHA1b3caae1af7457c53d2fd09ec69f2a1524c42d428
SHA256cec145de2a9264139d6bfe285c3c785d082943769ccb3141bfde40c461ac37c5
SHA512b35fff486e541a6d29a09a21e2d6bda47d3158aa49b487d0772f5cb3d0dd24e8d52b5c7966ae187cbd9a6a5543daaff305be4ba1d05bc07231da6fcf8ae15e0c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD53664b06041742b88f4846fca123501ac
SHA1f227487805cb296b3d24aa9c855526d7d5c44928
SHA256b665a3a5e01e51a9e0c9307380500b1c49e4c194dceb0dd94298fbe9d6e7c42d
SHA51224b0cbe3f5c07ae616392dbe8cbaedb72d4ccb09b622163a528116cd068f0a5bb7843b8aebcd9eaf1681724920a66acb2eb2930fbddbee17ea3e57338dfdbefb
-
Filesize
8KB
MD5062bc60dc1749eabc7148d229e135a44
SHA1c9d85902cb40128094eebbcdbbdd81415fb2752d
SHA256a594e566ab73317d85dac7182ef77394ba3a1fc23eefe298937cba00593db408
SHA512543f03172003c65a3047ca7462bca0d50123a6c7c0f2c4b4ef505b27e6ce63484119632ec74990a2a2ef3a18c7c5df59b2f2c3b9050b5b4794430428b8d2d83a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\activity-stream.discovery_stream.json
Filesize26KB
MD54a4a034b1ef9b491a43b70531a3b4b7b
SHA12f5465756369eb4b7996904e5196bdce7149757d
SHA256da980d12e352b0ac777b61cb0ffcab25395466960b37bb42b952ac276ff592f4
SHA5125fd454c98575224bea5890f91da68758d30033f8d4ca2d3a18e764cc10ac147bce95ff1bbe0fe2cc9c97de01972a9977483ae2c5513eae3b816ea53fc537ec5f
-
Filesize
1.8MB
MD5ccf7de51b317996803c0ce2b2643db99
SHA141714678c993ef55bc0593383b7eff9e8b43bfb3
SHA256416f915fb3b582641972ea178d5b5e55019589fce18916218b5ae4cf8db850ef
SHA5125672f9cc1c120dc2e35a2e99c6261ea33b36d7c21b88dc27dc4ec733fe7df38586dc63fbe0161888d122a22a8768c856f26c5293f47f0657174dbb4eee90a395
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
880KB
MD502b0af0a4601ed1197aef1bddb2a0511
SHA130867d067e7c1bf38952b686250772b91b8a7198
SHA2569ad1bdbc482380856c2499d90a78113ef91b3189bf42df62e1a054b98ee8f0bf
SHA51223ca31b74ee12395314bd4532a8a07dd040b08f2bb75e8fcc577f76eb5f3c0616c4de52792d1cc66969b0a320169992f6fbd863d10c0137d9f31436970e0c185
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin
Filesize8KB
MD558c5fb1c62533ab1a0cec82d5d58fadc
SHA1c77c3281e16fc6e9135d6ec17eb7d3a976a72f67
SHA25615f5f2314058f3b6124969b2cb7973b89d210204169b3035169884ff418b8dc0
SHA51230e056b665766b4e845bd3bdfe2675b9615bb557c89bc9a2348d224b820e417c002541ce4c3575e2a9d16651aa187ce8d26f3553d73ca14dfbf09940cdaf4b93
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin
Filesize10KB
MD5b429a674e7fe1a3cff4e97176ae639df
SHA1ed9fc969190bcbedf7a67091b33b96cbafbf5ef8
SHA256e692dd8cc50f1435a028a8e477a76c9275d30edb13f4a9b0f588d5ec1611ec83
SHA51280e54e89003a4e5d5b47c0fa12cc4794ce5cc207073d1f9fcd0fd673cc08bb04c87a9598300b5e106ae5be3c042a60532466d66e267c9a9f3eba1b2391c26459
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin
Filesize13KB
MD511fcccb99f0b51e69c169ae504e0f74c
SHA1bb00764afb5cbdf664fe1c68e13e61fbcdc99cd2
SHA25653e340a05dad30e4a3051b4ab0846c74ba8803de0372938594d2fbbc18018748
SHA512af04e1bc2a6bd8c7c05d84c68f21c68d5936bbbeaa65c69fab7d4408230ed471a4a2a9af276c5725371f7c16197e6882ad92024925ec61056b81c7d89c7301bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD57f75dd26a072ea598c1159657a19cce5
SHA1c163877ac6324ee67130ef1b0efbc3ca0b2249a1
SHA25687a599d98d1f234f323fb1f7575dd5730c5ccb912cc76762ed7f5302afb5d6c1
SHA512ed4fabcf2e149a1b24e28e0bf1d0752ed312df82fada49b9a098644d2ed9b8c96b4a2c27f217564b755c63340aebe031cdfd7817de10b0e348b759ab969837c3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5d1de9d5c288f5ac7471fe66e1f002abe
SHA1035c6b507dfe728ff1a5e77e06e906efd07c479c
SHA25657417edcadf7768b185fc34941787404b1827f85e04852b21e99dfe9ba7cf730
SHA512f2d947aa8fe3bfbafad208e8ebd465b9c1bd9efd4df051d40952d349e6daf0d1380500e161960dfcba21ee80b0f0baf8efb1dd88fa731c35c2cd44c9ff7a9b45
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\2827b580-f25f-4a4a-9b2e-3682f85051ac
Filesize982B
MD5ab55537ebb73e2c9f5dadb8b6d6d01c1
SHA13e152d8a2ba2332db6897dcf98f7f4991171a661
SHA256ebeb18720e53059b56ab1d8b1cf57b2c3792096ef138805c57857465477bc106
SHA51234d5dd2ade8d135f4da29dee90d696254e283552d68e9f4e3c3d6aba0227aeb7a0627736039f7e9f3f5eab18352875e62fc4b8c72bcdecf12ee9216951f1b433
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\a5669e98-d7b7-4d11-9807-c6c25396b88e
Filesize671B
MD5b4cdfea470f85d8404530ee0a207e414
SHA1942d0737ed2b205ce359e6ec5c9cc14c264ac0db
SHA256c42cb181788762df5b6a53207509ef0e16fc8616d0980d234e9894d9e14ff32e
SHA51224484020e35064bda4dfc6ce4d168b8d78778565cf255717394202a02e4c099c2e21917b4b7cb531be08b9889993cd10a9a5c77656addad3894cfca5c65146e1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\c227d61a-8f67-4173-a88c-3eea5979d831
Filesize27KB
MD59f47e8a43d5a78f95306f1bcb847097d
SHA17f4e829d5a1c94eec346fcdb48a54f7a7ee6ea8b
SHA256dc029418be1be83d1614c40d9b7f07ba919c9e1c59ea7f051782e9fe3d6f7e35
SHA512ec18f13f501d7da52f713d1a91c4c63996a6244de02a2ec723784fc7ef8bc63ad5cad7a4e8e1e2c0ba73c33906bf941a0bdb24043a261200e64df4f32eb36eb7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD5cd7dec8254be521443d2d0f110e505a4
SHA1706eba69773d98081417178f4c99d03dcf558511
SHA2560fe2c16af49e18eb026f08050f583ae4d7e2173cd7fedadf9ee1d9a1d0e3cc58
SHA512268ab92ef1b2dabb42aaa20068c33ba7769184bda19121a11e9ac9427eb8e0bb0668ca0c027b72576e08b201f9ba5700e9fafdef8976abe2e088a4b0c676a673
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e