Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-09-2024 16:26
Static task
static1
Behavioral task
behavioral1
Sample
ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe
Resource
win10v2004-20240802-en
General
-
Target
ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe
-
Size
1.8MB
-
MD5
eeb139916aa5a94fb6de01d67d329939
-
SHA1
7881a77833d76054afee411c19b37b5ee08ca9b1
-
SHA256
ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801
-
SHA512
f9645cadcc7893d3a4d5d5db17654653c3336c58f98106a28ee04d5f3570582d9c6ec8bc8e76c092f4795f7779b8571eb561d5651e7ee667205727938a0f2bef
-
SSDEEP
49152:U7cDiWv20IGA9yOEwr22eavHXsQQVQutTqrIBxjsSst06:Ug5+Zoa22eav3MVQutTkIBx1st0
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
114eb35934.exesvoutse.exesvoutse.exeac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exesvoutse.exe3de546954f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 114eb35934.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3de546954f.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
114eb35934.exesvoutse.exesvoutse.exeac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exesvoutse.exe3de546954f.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 114eb35934.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 114eb35934.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3de546954f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3de546954f.exe -
Executes dropped EXE 5 IoCs
Processes:
svoutse.exe3de546954f.exe114eb35934.exesvoutse.exesvoutse.exepid process 440 svoutse.exe 392 3de546954f.exe 4452 114eb35934.exe 3392 svoutse.exe 4512 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
svoutse.exeac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exesvoutse.exe3de546954f.exe114eb35934.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine 3de546954f.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine 114eb35934.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\114eb35934.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\114eb35934.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exesvoutse.exe3de546954f.exe114eb35934.exesvoutse.exesvoutse.exepid process 4648 ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe 440 svoutse.exe 392 3de546954f.exe 4452 114eb35934.exe 3392 svoutse.exe 4512 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exedescription ioc process File created C:\Windows\Tasks\svoutse.job ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exesvoutse.exe3de546954f.exe114eb35934.exepowershell.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3de546954f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 114eb35934.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exesvoutse.exe3de546954f.exe114eb35934.exepowershell.exesvoutse.exesvoutse.exepid process 4648 ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe 4648 ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe 440 svoutse.exe 440 svoutse.exe 392 3de546954f.exe 392 3de546954f.exe 4452 114eb35934.exe 4452 114eb35934.exe 700 powershell.exe 700 powershell.exe 700 powershell.exe 700 powershell.exe 700 powershell.exe 700 powershell.exe 700 powershell.exe 3392 svoutse.exe 3392 svoutse.exe 4512 svoutse.exe 4512 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exefirefox.exedescription pid process Token: SeDebugPrivilege 700 powershell.exe Token: SeDebugPrivilege 4288 firefox.exe Token: SeDebugPrivilege 4288 firefox.exe Token: SeDebugPrivilege 4288 firefox.exe Token: SeDebugPrivilege 4288 firefox.exe Token: SeDebugPrivilege 4288 firefox.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
Processes:
ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exefirefox.exepid process 4648 ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
firefox.exepid process 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe 4288 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exesvoutse.exepowershell.exefirefox.exefirefox.exedescription pid process target process PID 4648 wrote to memory of 440 4648 ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe svoutse.exe PID 4648 wrote to memory of 440 4648 ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe svoutse.exe PID 4648 wrote to memory of 440 4648 ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe svoutse.exe PID 440 wrote to memory of 392 440 svoutse.exe 3de546954f.exe PID 440 wrote to memory of 392 440 svoutse.exe 3de546954f.exe PID 440 wrote to memory of 392 440 svoutse.exe 3de546954f.exe PID 440 wrote to memory of 4452 440 svoutse.exe 114eb35934.exe PID 440 wrote to memory of 4452 440 svoutse.exe 114eb35934.exe PID 440 wrote to memory of 4452 440 svoutse.exe 114eb35934.exe PID 440 wrote to memory of 700 440 svoutse.exe powershell.exe PID 440 wrote to memory of 700 440 svoutse.exe powershell.exe PID 440 wrote to memory of 700 440 svoutse.exe powershell.exe PID 700 wrote to memory of 952 700 powershell.exe cmd.exe PID 700 wrote to memory of 952 700 powershell.exe cmd.exe PID 700 wrote to memory of 952 700 powershell.exe cmd.exe PID 700 wrote to memory of 3828 700 powershell.exe cmd.exe PID 700 wrote to memory of 3828 700 powershell.exe cmd.exe PID 700 wrote to memory of 3828 700 powershell.exe cmd.exe PID 700 wrote to memory of 2732 700 powershell.exe firefox.exe PID 700 wrote to memory of 2732 700 powershell.exe firefox.exe PID 700 wrote to memory of 3640 700 powershell.exe firefox.exe PID 700 wrote to memory of 3640 700 powershell.exe firefox.exe PID 2732 wrote to memory of 4288 2732 firefox.exe firefox.exe PID 2732 wrote to memory of 4288 2732 firefox.exe firefox.exe PID 2732 wrote to memory of 4288 2732 firefox.exe firefox.exe PID 2732 wrote to memory of 4288 2732 firefox.exe firefox.exe PID 2732 wrote to memory of 4288 2732 firefox.exe firefox.exe PID 2732 wrote to memory of 4288 2732 firefox.exe firefox.exe PID 2732 wrote to memory of 4288 2732 firefox.exe firefox.exe PID 2732 wrote to memory of 4288 2732 firefox.exe firefox.exe PID 2732 wrote to memory of 4288 2732 firefox.exe firefox.exe PID 2732 wrote to memory of 4288 2732 firefox.exe firefox.exe PID 2732 wrote to memory of 4288 2732 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe PID 4288 wrote to memory of 3368 4288 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe"C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe"C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:392 -
C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account4⤵
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- System Location Discovery: System Language Discovery
PID:3828 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68642c2d-721d-4190-8af3-693a44697a7b} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" gpu6⤵PID:3368
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed0da6d2-6294-4826-99b1-b70fec00a89d} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" socket6⤵PID:2032
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3240 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a0539ee-5919-4d6b-9270-81fcb1d27e3b} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab6⤵PID:1520
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3356 -childID 2 -isForBrowser -prefsHandle 3448 -prefMapHandle 3440 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3516cdc4-080a-4d81-9b9d-f495545b57a0} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab6⤵PID:2224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4356 -childID 3 -isForBrowser -prefsHandle 2928 -prefMapHandle 4160 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f70571e9-c1c4-4620-960e-38ea2eb9ae32} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab6⤵PID:2868
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5168 -prefMapHandle 5152 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {968843e3-acbe-4f4c-b446-c165e71d043f} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" utility6⤵
- Checks processor information in registry
PID:3592 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 4 -isForBrowser -prefsHandle 5748 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aecad104-9dcc-4083-8525-0ff651e3a68c} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab6⤵PID:3268
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 6008 -prefMapHandle 6004 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c8a0738-d19f-433b-aa74-87868066c515} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab6⤵PID:3448
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6136 -childID 6 -isForBrowser -prefsHandle 5920 -prefMapHandle 5916 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {594068db-eede-4633-a425-306d7b3ce170} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab6⤵PID:5064
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Checks processor information in registry
PID:3640
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3392
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4512
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json
Filesize29KB
MD538c35afe1c736cad27a77e99c6653887
SHA1ff57120c1bc8a39e8bad431869963c1b26df3e8d
SHA25634457be02b8f57968edf18fa07c4210c3df0109234ea1598fadfb2dbbfac2051
SHA512063a0b48cf5c29a8efad07cd33eea54e5f7863d40e185f4651d14240d978723f49079d7e329bb74b367c89abed67dfa3aba0c7a321f64c6dc89a20d0ebcd17ab
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244
Filesize480KB
MD58265322172b2cbeb6e357b0f3388391a
SHA14fa9c9a543741d4837cb176459b1a354702013bb
SHA2565754eb88b7eac0e20aa9a612dea908a20594d5157e5c79fbf6ed8290c438df17
SHA512d6189cb76bdef3412238483d8c7096cf0ba5607b163a2578b7e6b2b82c9bd46b11e5cb43350e83edad850028590dca86e214b027fa5913fa0cbbb4072c396431
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F
Filesize13KB
MD5fd3b9e3bde621cd4db60a04febdebdc2
SHA1ed2846d16994b9b45131c7a47b880540a9f1bb2f
SHA25641240c489cd3c2c9328ed2684effa7eaef1fe76e63150a955d6480043b998219
SHA512efa5b87a2f8a908a0912a50694aab5ef08d82a43948a816c523b0bbc2521583765a305ab7e5be04149d0ae82198937551c1db5131ca4aeb12fdf3e66b165b037
-
Filesize
1.8MB
MD5eeb139916aa5a94fb6de01d67d329939
SHA17881a77833d76054afee411c19b37b5ee08ca9b1
SHA256ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801
SHA512f9645cadcc7893d3a4d5d5db17654653c3336c58f98106a28ee04d5f3570582d9c6ec8bc8e76c092f4795f7779b8571eb561d5651e7ee667205727938a0f2bef
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
1.7MB
MD573bbd225dee50a7cd44e58a8fc26e148
SHA16ac24985dc5d2e03d1c603c05b9b739b3e5bc7eb
SHA256dc21dbe83a9a684aa2e77849977a9ab60e8c5b52af4e2a4f4f0aaa148dfda587
SHA5125ab645b0da9e90cac4b66de3cf89325fde48de512bbedf7555c1da8da6dfdc193a7790d5b14c7215459acffe02cb393ff9f9b42dfccf0cdc78db413571f442f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize6KB
MD567f5aebb53d7bfe185423128a8d577d9
SHA1ce497e5eb0ac9be84796ec6238308dfd2c99be64
SHA2565fac4b4928c6c80ed90562fe47ca7ecd0e1f47e444ee9a3f95287dbee845ec7b
SHA51251c1921b0460de4d8e006df73f376996312100d99595f12020bd73501cf31197860900f7692efba85004e345284a5465cec679771a57250f7433a4ec4f4fbc49
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize10KB
MD5890972006f4936e421981ac18f8d5c00
SHA17efadd3123bf76bc0b6fe0c3b5d41e31fa8f5d4a
SHA256a3de69a2a24f25439f3cb91f893cbc01524e9bc0662aeebfe7a309166eb30207
SHA512fb83f81c1877fc13b261d1a55d6c24ddc891a66141439471cc0186026d554f292b0fd0ca5978fbc24d8385f2734c1c3107ebf72f929cec81800e21e67277fcec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize12KB
MD5f0da5284357e8b2665e3e214c940f3dd
SHA1f75045c987c5b6169d95b2f6c033b4b9ec7cfa54
SHA25624c0b692a976a75b540e0de978a04bacd85bbbe9cfdee85daeb7f1696bba3973
SHA512b5a07236e13f7c6cf18b0d458263f81fe1e6cecbd83407e62d1f6a059b2aa0b3523863ad66437867477452016d13cadb8a7254783591d62019240970a1468c6e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize20KB
MD52bf72fb9833be3bfbe7362d1cebfeafc
SHA1bcc113b2e8fcc4a5435b9b37dd8bcd836884b29c
SHA256181e92106900f93f8a7ae047742a98c2f068cb5c1f43b7fd76a4c416b63f8817
SHA5129015ae12021d1567b5149a5acf172374bfa9f3b80dcd91c3be2ed9a50e04e5b479478209b00f83d608a613fd631ec0feb585161a5b67879e901500bf7373725e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize21KB
MD58d07a9fd560f980757d1720d7c276ef6
SHA17c3802367747bb1fc264cf34e68e1c2ee4a413ca
SHA256ab4fce2785089abd9450716dd905c6b6f7b98619529bc1a4deabc151eb9ade1d
SHA5121730316101529e870b78735e0acb5f03ee0612a8f2c0cfc2a4c848e0c9823ba6b3d552bea9baadb1f9211b31f1c10d817d87ab51dbef593250b38d1287a7684f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin
Filesize23KB
MD5db2172b327ba3f806e5c92b6cf43cf46
SHA15fa70e337330716274654ce91af79b009d7c79cc
SHA256f2dfb9e02ff1eb8919f050cf69988618fc559a89a65368a0bca00cfc60e6b13c
SHA512e1dc06619af3a0d3dcd1b23a8f974a03d2910ec376d5d98dff445d65394d9302e14acd3b1c9b19718d0ef39ee9b3871f1c525ef3b644b0ddf855b12341a77bea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD548ee3b825a54112b50658c593c292902
SHA19c7251578f6fca7394ef18b20358ada6df5eb875
SHA2564d89401f73b833cb69a6259999107672d7444c922ca23c50a03832b0d8bfe756
SHA512ffccb44b7b7ddfe0b5689b834329b5032af866944c1c66dd9525cb60035fbb80bc87c62cb036ecee143a5926696d39c2edcf7ab225a2d22a023052189225377b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize33KB
MD5504931ad0132b95b82d8c9f23aa338e3
SHA1848ad9bc374eb9bd1e540ccb572db9f7bcc5c312
SHA2568a318969f893cef04998f85faf694a2ec07013d072b87716d12521137eb00e2c
SHA51260357d8614a0b2a8db41fa738b74d8a98a4e082b5ba2f678f0d5ea92d23720a0e8f55fade0530579496d62944ddfc85c23ece86cf926080f2b307fd96a047eeb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5e34713b9bcc5bdc0ce9d2a77d02432c0
SHA11386a947ceb8178907d268f960e2dd74a840b2a8
SHA2565998db3ea3cad75803c4e1da142d07b91af702e413b47260acd5b904f1ab6362
SHA512a8bc12f5db051e7b0066a0bef1bb85ad70c4783fd4dc6cca84e52f8ca40e01c9220fdc5d783e4eaf2e935a5e6a817604765f8247199556abef38c5527a7c4f02
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp
Filesize33KB
MD548d86fc7acd8ce8f0a754292aed146b7
SHA15966f7f63b84b3781e5b4e7f4771805f6f88e668
SHA2564d2c107652bca15c81a5e2357733b3a61b5e20e0cad0f8d51666915ae4a7d1f3
SHA512beff98361ec137704318bbad8439f6abd2af771404a49f35ab6cbb4f001013163b03d8267ce93dc2e130cf93032f2f6910f0d9b652508cdd3de275f42a974c7b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\693db4d3-e596-46ef-a912-d407224948a9
Filesize671B
MD52e6c117264b4cc0674f53afcb80a7129
SHA184f8efa19c8da0eeeed39044dfdfbe7e4345ec71
SHA2568987804e739aec976d20696373b705680837b001f7c9f127bc0a11dc9c30bf2a
SHA5127130afeeab889cb16e68eeb88d01394924ca5fc2afa85dca4b48b455a3bc3820cf9828d4ffd8a53da750468e64aeec2f446211a77a8f7d70888899e25002a71a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\a133b90a-04a4-4047-ab65-2dd08e13c340
Filesize25KB
MD5cc91789dd368496f564abfc90301e61d
SHA1bb3f47056cfc29494dbd1dbe0ec8ffafbd4cb020
SHA2564c3ad17fe5eb4df3868dc819a813c190cf013f23cea873b5d17750ed62c06170
SHA5122227b3df3985363785bb2e3153b5bcb6c712dc65331dd858be71fb45c399563c974d87cbf43fd773f9b23f69c261d117b05ab001268ba9e78218c90cc3332b4e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\f827db34-34ab-4790-82ab-d4c87f205176
Filesize982B
MD581036ba12c8f91f1ff9dbf860cdf7a48
SHA19dbb3b8e467c87a89e553a612fe4569b75094ac2
SHA2566fe2e07ede7d59e81327e1639d9cc90d547ae82f913a8ea824bd14178972c398
SHA51235d7717a0a27e98c0c155163ad80a3fa43b5937c25e31e0febb3c840f80a3985539ae3bcc1443f8f844b603ef9a867fa24f8190e1c9647eca082396db2174eb9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp
Filesize1KB
MD536e5ee071a6f2f03c5d3889de80b0f0d
SHA1cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA2566be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA51299b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e
-
Filesize
11KB
MD5314e8ec211c169ec0a45c353af2c1ba1
SHA17f506746731204a404938855b6bad40e90d308f1
SHA256e3aca54d76e9e7e085b8295d50f8c79acc747d5362780b57e5d1ae353fdb771c
SHA51241f7272ce540d5692703b5de307fa8fd444c55fbc80ba038b3c56688955ca2933a607971823132352946c176670fc0ec82f1f076422404e77067a2a97ac3b8b1
-
Filesize
11KB
MD5b37b20b4c092f31aa47e727c56fb4f63
SHA1819fa217923432b5386835e169a1eab97f8ea33f
SHA25667816e76900c928b13b9129888337b956b9da9140507ed3a38a2d9951fa1013b
SHA5127ce3cba956415443a20c1e7c14f9b4c2cabc001435c6fccdf00afa15f5ae038a41e68c34c0f5ff734203e5e8f00b23938e7f469c7f731fe5d172e2a93f86edaa
-
Filesize
11KB
MD53d881538e8f844e4f2ecda1033ec6e10
SHA106885e6ea43377ded520036a740126e026bfd202
SHA25636a13fb00be8baa13cb80c144e71c006a841e5a9634d1549acfa1d03c08e48a8
SHA5125fa18446edff77f021880086f27efaeeb02fbdf661bf6ad477530ee862ac3830b4900e73fc54b3f0dfb268de3e358d5346ee58a241660d62cbd74d952d9d37d6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD50c583d822bab27fea3d6e07e9bdd66b2
SHA16ae77a10879ce768984acb47722eed3c022b2b1b
SHA2562722b426d7731d00c3c60bef33e96eab97f565159b2a0f209e1caf1b7a151720
SHA51263409b4cddffcc24601ced9d60a2c11d74b396edbe48541183645c21d5404ba29abca4fb9bc8023ed2afc99c124a18912d87e625c23da993cf6142a560172134
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD57c017058d44a9187e2f1f0561176688c
SHA1a26ee51f2ccce68dee6ef36de4a4905c2c19ad5c
SHA25691a082bbf5b1131f7d588db70801451fc5d40962d2e35e1647de8d7b57ef616f
SHA5128f6b183580a2c57ddf2c4ad9e470b51a25c73752374bfe0f5f290ae828289d792c4c69c37da2067ce890719ad19d02ee9dd825315636dba0ab0a71afbc14f15f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD503dc2f7cd9779201c199d6a57cfacb46
SHA148845e029e3e75d637fc92d33405914dc629c9a5
SHA256e43d6b915a0584eda25a6803269cf3cd47c71a7c3523d9110151011fdbd4e9e3
SHA512a08e05af90a845b344b5de021934ea1be9fe446bf972e5b72fd697e0eb95eccd22d2b57e4af543d385b62b7a36579459e5c43f289ae60b5239d68c45808d99f5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.2MB
MD55c9c47793ab712567ff87c2b430290d8
SHA1f8bdfb4a55cc70e691f23f9cda50e4a500f530a9
SHA2567f47f70d02a82d8b1558e05e7b4190cf87537c5a3e29cbb1081cb7cc15f69a63
SHA5126ebc80233ed41df430ee826e884c4ca495e3e847fd5955d7f112198cbe6f14e42e1ee16df0f753fdb89ce46e02473476b62734326f16e5f4d3fa48918e9855d4