Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-09-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe
Resource
win7-20240903-en
General
-
Target
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe
-
Size
1.8MB
-
MD5
3bcdaf8aa8a6f0ca2f613c8c14bc5a6e
-
SHA1
14e7cff2628e339009821bdb95673a40299149d0
-
SHA256
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
-
SHA512
d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579
-
SSDEEP
49152:GQlomvjK2/8k6ZJ8EBHJGCHONwoFCRUUoYk32nOg:15vjak6z84uszoYkGl
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exea0fe5569c9.exe0e976ee612.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a0fe5569c9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0e976ee612.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0e976ee612.exe6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exea0fe5569c9.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0e976ee612.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a0fe5569c9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a0fe5569c9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0e976ee612.exe -
Executes dropped EXE 3 IoCs
Processes:
svoutse.exea0fe5569c9.exe0e976ee612.exepid process 2980 svoutse.exe 1788 a0fe5569c9.exe 1268 0e976ee612.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exea0fe5569c9.exe0e976ee612.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine a0fe5569c9.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 0e976ee612.exe -
Loads dropped DLL 5 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exepid process 2096 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe 2980 svoutse.exe 2980 svoutse.exe 2980 svoutse.exe 2980 svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\0e976ee612.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\0e976ee612.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exea0fe5569c9.exe0e976ee612.exepid process 2096 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe 2980 svoutse.exe 1788 a0fe5569c9.exe 1268 0e976ee612.exe -
Drops file in Windows directory 1 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exea0fe5569c9.exepowershell.exe0e976ee612.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0fe5569c9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e976ee612.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exea0fe5569c9.exe0e976ee612.exepowershell.exepid process 2096 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe 2980 svoutse.exe 1788 a0fe5569c9.exe 1268 0e976ee612.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2500 powershell.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exefirefox.exepid process 2096 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe 604 firefox.exe 604 firefox.exe 604 firefox.exe 604 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 604 firefox.exe 604 firefox.exe 604 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exepowershell.exefirefox.exefirefox.exedescription pid process target process PID 2096 wrote to memory of 2980 2096 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe svoutse.exe PID 2096 wrote to memory of 2980 2096 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe svoutse.exe PID 2096 wrote to memory of 2980 2096 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe svoutse.exe PID 2096 wrote to memory of 2980 2096 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe svoutse.exe PID 2980 wrote to memory of 1788 2980 svoutse.exe a0fe5569c9.exe PID 2980 wrote to memory of 1788 2980 svoutse.exe a0fe5569c9.exe PID 2980 wrote to memory of 1788 2980 svoutse.exe a0fe5569c9.exe PID 2980 wrote to memory of 1788 2980 svoutse.exe a0fe5569c9.exe PID 2980 wrote to memory of 1268 2980 svoutse.exe 0e976ee612.exe PID 2980 wrote to memory of 1268 2980 svoutse.exe 0e976ee612.exe PID 2980 wrote to memory of 1268 2980 svoutse.exe 0e976ee612.exe PID 2980 wrote to memory of 1268 2980 svoutse.exe 0e976ee612.exe PID 2980 wrote to memory of 2500 2980 svoutse.exe powershell.exe PID 2980 wrote to memory of 2500 2980 svoutse.exe powershell.exe PID 2980 wrote to memory of 2500 2980 svoutse.exe powershell.exe PID 2980 wrote to memory of 2500 2980 svoutse.exe powershell.exe PID 2500 wrote to memory of 1796 2500 powershell.exe firefox.exe PID 2500 wrote to memory of 1796 2500 powershell.exe firefox.exe PID 2500 wrote to memory of 1796 2500 powershell.exe firefox.exe PID 2500 wrote to memory of 1796 2500 powershell.exe firefox.exe PID 2500 wrote to memory of 604 2500 powershell.exe firefox.exe PID 2500 wrote to memory of 604 2500 powershell.exe firefox.exe PID 2500 wrote to memory of 604 2500 powershell.exe firefox.exe PID 2500 wrote to memory of 604 2500 powershell.exe firefox.exe PID 1796 wrote to memory of 1868 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 1868 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 1868 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 1868 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 1868 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 1868 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 1868 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 1868 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 1868 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 1868 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 1868 1796 firefox.exe firefox.exe PID 1796 wrote to memory of 1868 1796 firefox.exe firefox.exe PID 604 wrote to memory of 2724 604 firefox.exe firefox.exe PID 604 wrote to memory of 2724 604 firefox.exe firefox.exe PID 604 wrote to memory of 2724 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe PID 604 wrote to memory of 2392 604 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe"C:\Users\Admin\AppData\Roaming\1000026000\a0fe5569c9.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\1000030001\0e976ee612.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\0e976ee612.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
PID:1868 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.0.1499319890\1995941788" -parentBuildID 20221007134813 -prefsHandle 1196 -prefMapHandle 1188 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27bdac14-4e5a-42c6-8505-f6f4488b0f0b} 604 "\\.\pipe\gecko-crash-server-pipe.604" 1268 119d7258 gpu5⤵PID:2724
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.1.941564494\828098967" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {734bca0a-d12f-477c-a465-cc03835eef88} 604 "\\.\pipe\gecko-crash-server-pipe.604" 1476 11905c58 socket5⤵PID:2392
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.2.913314183\253676742" -childID 1 -isForBrowser -prefsHandle 2100 -prefMapHandle 2096 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d0c39d0-8782-46c2-9877-6b182ba26ca6} 604 "\\.\pipe\gecko-crash-server-pipe.604" 2112 19db0958 tab5⤵PID:2536
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.3.232455944\1753561909" -childID 2 -isForBrowser -prefsHandle 2628 -prefMapHandle 2624 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cd2f149-b1fd-4de9-8be8-4dffdafaabac} 604 "\\.\pipe\gecko-crash-server-pipe.604" 2680 e69b58 tab5⤵PID:3064
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.4.23732905\1581238818" -childID 3 -isForBrowser -prefsHandle 3824 -prefMapHandle 3820 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0d3c253-f9f1-4b91-ae83-6ec5d09f292c} 604 "\\.\pipe\gecko-crash-server-pipe.604" 3836 1e9f0f58 tab5⤵PID:552
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.5.1132101368\1917974158" -childID 4 -isForBrowser -prefsHandle 3948 -prefMapHandle 3952 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f60b37ab-3970-415f-8e00-79e4bfa3c919} 604 "\\.\pipe\gecko-crash-server-pipe.604" 3936 204a6b58 tab5⤵PID:300
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.6.1337948218\1675221534" -childID 5 -isForBrowser -prefsHandle 4128 -prefMapHandle 4132 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bdd08bb-7ceb-4e74-b135-7b3d520c33db} 604 "\\.\pipe\gecko-crash-server-pipe.604" 4116 204a6e58 tab5⤵PID:2008
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.7.23604496\1758185924" -childID 6 -isForBrowser -prefsHandle 4364 -prefMapHandle 4340 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a61df30-3b25-48eb-85ac-c77bd836e482} 604 "\\.\pipe\gecko-crash-server-pipe.604" 4400 21d22858 tab5⤵PID:2720
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.8.2074418888\357631155" -childID 7 -isForBrowser -prefsHandle 4364 -prefMapHandle 4504 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f200d2f4-d0e7-494d-a6f6-40716243bb34} 604 "\\.\pipe\gecko-crash-server-pipe.604" 4552 227f8758 tab5⤵PID:3288
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp
Filesize28KB
MD56ac5797834975c7bc1955888feaea94c
SHA13663afbd9720d6af3a14cc51dcb34189365cd1a4
SHA256af7fc9f0ed78cd00817baf8be55e1c881511d0ea154cde9e663deda433775fac
SHA5124b291507252c6834a5ff63a4a99c85fc949d0fec209c6a3ccb675abef3a02540946f9688ac4632b5af95adc346b6303793c096a168da4e389c5bf7b00a668bcf
-
Filesize
1.8MB
MD53bcdaf8aa8a6f0ca2f613c8c14bc5a6e
SHA114e7cff2628e339009821bdb95673a40299149d0
SHA2566eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
SHA512d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
1.7MB
MD56ec533d4b68b9b65f45160ba3bfc9422
SHA1488be541bd2b2e42770c9e2bae875f6f97f51cfb
SHA256dbe5d0f7237469a486de479008f1abca3d06a8a2b0ad64f26453d00e63000258
SHA51299ceac7775eb344221dbba859cc37834e9b553b9b6eb27fa6dc807b5b4fac8016b2802a66cfba6a4f092feb05443c6642cb3fcb400befacdaad3747c6ce46cfc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD52f78029d64fa50c83971df4591e1c227
SHA1aab4374ecb366c26e915b0b33a3a80f18b0c5a14
SHA2562cf672042c6966a5fe1808fd9d7a0db44bea807f3f2c661c2e7224ceee65b6f0
SHA512f731de5f51f65aede63395287a13de6dd1260c4594cb580942d7d1b629d916148345d150587f31792e15bbb9ebf89d7853aaa9f9c0126189351d107e84c487f3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\c7ea333f-883f-4977-af7b-50c60a251f65
Filesize733B
MD5e80dedbb08b937abb560793d385f7853
SHA1bc8168b139c3b68b67bab0c2eb739d33ebd06345
SHA2563122687c9910f701ff452c6080f46309d4bf119a53cbbc155dae88cbfb37d9e1
SHA512f79850a63c0958a9309f312ec519ba449bcc14a0d035fe5ce64f88b4e0c750a863fe87a307a9b485fb2f7de1a8aaad6d05cf7207aee9c99bdf5c6f3b4d4050a6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD571defa401dee44b639b6c89e6f58bb4c
SHA1aaba3cabf1be1278633341fadbd592faa24d5ef0
SHA256a1c9761f4887fb744276274723233e5fdaaa7eae934d99f8e8796caf8821bb38
SHA51275f3e7cb928fd0abc0ed63829a4c2763261f86caab430d9ad3b17ef7aa6a8fabb17b97af30299a1e6bb9dede93415ec0e3a3ea294496bde93641c038f750ceff
-
Filesize
7KB
MD5bba3b7cf674d5374d412c12f98ddffad
SHA1182e5203dc15f388b36dc156b61439a43b9e4364
SHA2566fdb9cb5ae7ac4abf99c6ee514fadf430b954a5db5fdf968cc692832f3dcee42
SHA51266892fcf058a5836f511e7886b909cda831a02151304a0ab220084477eb8411d975bb875da8a6cd12fd8857c5476d2c70128cd50dfee2bf59e3ca98bb954e746
-
Filesize
6KB
MD5f61c79cc95800c7154882837d246e85a
SHA146776fad7e2c8d143fa24ce9169d49cf8ad2f404
SHA2563bf5a0f423d843d64a233d4cd1a975dc6041229130cf4fb3009b0dc5a5cb7140
SHA512ecdbbcde85661c3d1b7b550fda87d1224f7c3395b343fd927f56003c9f424ca410f8385edca42cb730395a261a55a01b07d5e0313f367c410e54d3d75fc5ef3d
-
Filesize
6KB
MD5d920f5ec5f69946ab549cbd7ffddb238
SHA1526e44db3e29640dd52c1afe438ddc723d0d108d
SHA2562eb8ba213a659889d146289def2aaeee68f748c0c474aef24ef4dc4ae1d12d18
SHA5120369cb511d72c6943bade244ccea02496edc74bd3765ddcc0ccd2aae3bc86348ca731f632664f92d8feb0056545c82eba3afd1fd4a3b4e8e59054974a0d7c165
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD55813a0395feff54c2d66fdb01451334f
SHA13360c2f6eef3f59ff7a34e27a3097e8840a1fb71
SHA2566bb3439ce4e010d328a44a1bc54032dfc3c6f4754e88ba3b33f494523e311972
SHA512d0b3ec0462ae47ef3ccfdcf8aae250c51f3425bfdc64e01d0f8e9ee51ee4b871c58d61b016babd53dbf2029bcc559e7d805d1ea8c94bb37c712dac5984a68aef
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD52624268ec10816de5ec4cdedc0a40535
SHA1a6b690056b7e93ae16b7060f6d0b807c1281ebff
SHA25687b1f35135ef50c7eacb2060d6060a528b67db4d5f4e4e8f0bdfe3f184ecc557
SHA512c2abb8b323300b59ef845c8d85b1f7d4d2b90583106d78d242c66d0cbd54c8ce69d048c199430e2cca029c8a42b7667b78cc1ece7eac7054dacc2254ea8dd79a