Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-09-2024 06:56
Static task
static1
Behavioral task
behavioral1
Sample
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe
Resource
win7-20240903-en
General
-
Target
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe
-
Size
1.8MB
-
MD5
656dad33ed55f336051883f756e7d041
-
SHA1
83ff37e0f8badb060900511002fb14e8c4deade8
-
SHA256
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f
-
SHA512
ba950f704229070f0515b163630d59fbb9b2ba1b8b775259d84d3828713ab879880a1ee9baa4796898a29a941943868ec8ae111ba38c006fdefb9e12af81316c
-
SSDEEP
49152:ceMiOEiw+JG001x6xaEQtgCnNSjQ7t1xphS80IHY4LVx:cA9+J/awxaDAjQ9pw80IHY4LV
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
svoutse.execf08a16ea1.exee65bd18633.exe263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cf08a16ea1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e65bd18633.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.execf08a16ea1.exee65bd18633.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cf08a16ea1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cf08a16ea1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e65bd18633.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e65bd18633.exe -
Executes dropped EXE 3 IoCs
Processes:
svoutse.execf08a16ea1.exee65bd18633.exepid process 2980 svoutse.exe 2164 cf08a16ea1.exe 2760 e65bd18633.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.execf08a16ea1.exee65bd18633.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine cf08a16ea1.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine e65bd18633.exe -
Loads dropped DLL 5 IoCs
Processes:
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.exepid process 792 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe 2980 svoutse.exe 2980 svoutse.exe 2980 svoutse.exe 2980 svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\e65bd18633.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\e65bd18633.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.execf08a16ea1.exee65bd18633.exepid process 792 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe 2980 svoutse.exe 2164 cf08a16ea1.exe 2760 e65bd18633.exe -
Drops file in Windows directory 1 IoCs
Processes:
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exe263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.execf08a16ea1.exee65bd18633.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf08a16ea1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e65bd18633.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.execf08a16ea1.exee65bd18633.exepowershell.exepid process 792 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe 2980 svoutse.exe 2164 cf08a16ea1.exe 2760 e65bd18633.exe 1060 powershell.exe 1060 powershell.exe 1060 powershell.exe 1060 powershell.exe 1060 powershell.exe 1060 powershell.exe 1060 powershell.exe 1060 powershell.exe 1060 powershell.exe 1060 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1060 powershell.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exefirefox.exepid process 792 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 1704 firefox.exe 1704 firefox.exe 1704 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exesvoutse.exepowershell.exefirefox.exefirefox.exedescription pid process target process PID 792 wrote to memory of 2980 792 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe svoutse.exe PID 792 wrote to memory of 2980 792 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe svoutse.exe PID 792 wrote to memory of 2980 792 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe svoutse.exe PID 792 wrote to memory of 2980 792 263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe svoutse.exe PID 2980 wrote to memory of 2164 2980 svoutse.exe cf08a16ea1.exe PID 2980 wrote to memory of 2164 2980 svoutse.exe cf08a16ea1.exe PID 2980 wrote to memory of 2164 2980 svoutse.exe cf08a16ea1.exe PID 2980 wrote to memory of 2164 2980 svoutse.exe cf08a16ea1.exe PID 2980 wrote to memory of 2760 2980 svoutse.exe e65bd18633.exe PID 2980 wrote to memory of 2760 2980 svoutse.exe e65bd18633.exe PID 2980 wrote to memory of 2760 2980 svoutse.exe e65bd18633.exe PID 2980 wrote to memory of 2760 2980 svoutse.exe e65bd18633.exe PID 2980 wrote to memory of 1060 2980 svoutse.exe powershell.exe PID 2980 wrote to memory of 1060 2980 svoutse.exe powershell.exe PID 2980 wrote to memory of 1060 2980 svoutse.exe powershell.exe PID 2980 wrote to memory of 1060 2980 svoutse.exe powershell.exe PID 1060 wrote to memory of 1972 1060 powershell.exe firefox.exe PID 1060 wrote to memory of 1972 1060 powershell.exe firefox.exe PID 1060 wrote to memory of 1972 1060 powershell.exe firefox.exe PID 1060 wrote to memory of 1972 1060 powershell.exe firefox.exe PID 1060 wrote to memory of 1704 1060 powershell.exe firefox.exe PID 1060 wrote to memory of 1704 1060 powershell.exe firefox.exe PID 1060 wrote to memory of 1704 1060 powershell.exe firefox.exe PID 1060 wrote to memory of 1704 1060 powershell.exe firefox.exe PID 1972 wrote to memory of 1640 1972 firefox.exe firefox.exe PID 1972 wrote to memory of 1640 1972 firefox.exe firefox.exe PID 1972 wrote to memory of 1640 1972 firefox.exe firefox.exe PID 1972 wrote to memory of 1640 1972 firefox.exe firefox.exe PID 1972 wrote to memory of 1640 1972 firefox.exe firefox.exe PID 1972 wrote to memory of 1640 1972 firefox.exe firefox.exe PID 1972 wrote to memory of 1640 1972 firefox.exe firefox.exe PID 1972 wrote to memory of 1640 1972 firefox.exe firefox.exe PID 1972 wrote to memory of 1640 1972 firefox.exe firefox.exe PID 1972 wrote to memory of 1640 1972 firefox.exe firefox.exe PID 1972 wrote to memory of 1640 1972 firefox.exe firefox.exe PID 1972 wrote to memory of 1640 1972 firefox.exe firefox.exe PID 1704 wrote to memory of 796 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 796 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 796 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe PID 1704 wrote to memory of 1904 1704 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe"C:\Users\Admin\AppData\Local\Temp\263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe"C:\Users\Admin\AppData\Roaming\1000026000\cf08a16ea1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\1000030001\e65bd18633.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\e65bd18633.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
PID:1640 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.0.270383104\815647067" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1200 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9802e63c-da29-4f72-8f93-0290952abb9d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1328 4209158 gpu5⤵PID:796
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.1.987955262\1731638230" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65aa4349-0109-4772-81e7-630e35ecd062} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1520 14721f58 socket5⤵PID:1904
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.2.1553389652\364716142" -childID 1 -isForBrowser -prefsHandle 1836 -prefMapHandle 2028 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48cff3ff-96f7-4148-89b4-f56920ca6026} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2004 19ab6c58 tab5⤵PID:2824
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.3.1093866656\1049704984" -childID 2 -isForBrowser -prefsHandle 2604 -prefMapHandle 2600 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f095574-31cf-44b4-ad8f-fa7d81a6c996} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2616 1d168e58 tab5⤵PID:2552
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.4.336043100\1883955856" -childID 3 -isForBrowser -prefsHandle 3728 -prefMapHandle 2976 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7abcf785-7b95-45fe-8af7-eba2134df39d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3716 1d2ebc58 tab5⤵PID:1220
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.5.314380601\236099452" -childID 4 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05f621ca-0495-4cab-9a9e-fdd2db15c35d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3820 1f018a58 tab5⤵PID:2864
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.6.1532063630\173996253" -childID 5 -isForBrowser -prefsHandle 3880 -prefMapHandle 3884 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4f1de22-7ebc-4c70-b28f-b5408f5dfce5} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3868 1f1aa558 tab5⤵PID:1124
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.7.194519313\135199502" -childID 6 -isForBrowser -prefsHandle 4416 -prefMapHandle 4248 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9af629b-dd2f-48d4-bb9d-15f6a734a86b} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4460 1b44f658 tab5⤵PID:2348
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\activity-stream.discovery_stream.json.tmp
Filesize31KB
MD5673908d247d115cd5c127b37283436e8
SHA1156be894e9087b2a0ec3729eba442623c1c16d62
SHA256f58c4e2739807e92deaf669c0f4bc5f65ad6293763ca583656581598cbec88b9
SHA5125fca77e34d74b30fca99ee30692864f1bfbdbb8e1c5ac1c69578b9c9eb1b7eff86130ebb4f583e7409c574cc34d5561e135aa00be864be35dab503351bae7344
-
Filesize
1.8MB
MD5656dad33ed55f336051883f756e7d041
SHA183ff37e0f8badb060900511002fb14e8c4deade8
SHA256263c5c85871db56cb3438b6b38aff70fb2447ab02c7bdf2598a40e778ab1191f
SHA512ba950f704229070f0515b163630d59fbb9b2ba1b8b775259d84d3828713ab879880a1ee9baa4796898a29a941943868ec8ae111ba38c006fdefb9e12af81316c
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
1.7MB
MD56ec533d4b68b9b65f45160ba3bfc9422
SHA1488be541bd2b2e42770c9e2bae875f6f97f51cfb
SHA256dbe5d0f7237469a486de479008f1abca3d06a8a2b0ad64f26453d00e63000258
SHA51299ceac7775eb344221dbba859cc37834e9b553b9b6eb27fa6dc807b5b4fac8016b2802a66cfba6a4f092feb05443c6642cb3fcb400befacdaad3747c6ce46cfc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD58eeabfc9c8ceb590bc5026c62161058e
SHA104aa3a530c8ad5ee27b49d897fbd311ee9429492
SHA2567e87156fffd2ee861b76a1534e767586700cfe045b76fe0c2ca5329de24586ff
SHA512d18f6c29e4f8c9a7d838f758370e5014f2ac3553f10065f3564d746dd0f7a18231353f5041f3aeec86d0c561fccf569763c32f040b1804d5063b5d0092afb958
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\pending_pings\ece8f707-f9e3-44fb-9b07-36778bce0eb2
Filesize745B
MD50c26349bd4c36f63a841ca22d1c07e98
SHA15be4aa634244ba356cb529a207ec940eb8cc19cc
SHA256e19f720f90808f7c32ec8b896643d340b7a5adeb0883f1675e3856edf9f2f996
SHA5122458027f60afd729530f32f850acc3bb277ce6445b853f3d4dcad24f2669bca0d1b2021a8fd97536d06214dcf844ff8dd45d41a817fc5da26a450ba79b321dba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\pending_pings\ffb9b9fe-7070-4a3a-ad01-f1f35475aec8
Filesize11KB
MD5ed15f485684ed7829fc98db74487ec5f
SHA1b59e7b7a717b611c79ca00c1c95dddf34682fe23
SHA256835173dbfc93a73b39834fcf180f930c5149cf78a7b5662869454c628ae55f6c
SHA5125f70b41ac3251d541f36aab1b680825c31599a4254ef971cf23f63bcf97924fc0ccd35608c7caf4ee8eac20e16a0dd2d4d767f343d9afdb417eca351be23f36f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5e737de3b1662263b82500416c0671133
SHA1b69339872f3447ad28139f4c489f6e6e680a1605
SHA256fe55107ce7d686cb732f472effa909f01de99f042ec391cd4875497179ecc487
SHA512c02450b2234bca735b5400220ee77d2e5d7477b5e002eb05bccb8d112890d845fa4c8310426dfbe7b38d9e11125ba35acb73cdec196b7064713b30da21fc1a95
-
Filesize
7KB
MD5a7dfabbda24bed342633f628edddbc1a
SHA19e4d2463ffbdaa73aa4696fd3793ddd201cfc053
SHA256453be4986f20fe8a29bd18e01601a343cbff9e6ef30811200f2117bda840dc23
SHA512c01f8b25e9c01afa7e20164a8b471b89ce90df8c69d004d0ef38cdb9ee9649e69488592b2d21986a971febd5ff755ce30ce48a08404ad66c57b8c33a71c22eab
-
Filesize
7KB
MD51ecfe132189b8f03b358753bb90ac85a
SHA121c01e99ecdd9b51a1bf679c532abe596307be2a
SHA2561aadc96abb320462e6ca3fe5c5ff2d6570811f11f860780beced16436e050d9f
SHA512131966fd8297c75b977ec0f5379dc9b6b9c9aa9e7871dcd425a0c2508b2742a9fdb99a19a704bacbd41bc6e74bd9400c53405b130ceb24aad76e786c18d25ba3
-
Filesize
6KB
MD5c7304f3eadf77b099bc524840a7fd96f
SHA1b082fb76ddcd647384913c2c393c93f2ab13eab7
SHA256c124183e7238f57724213fcbc3a2e7f21a96db64e2d0f853275e9d95feabf9f2
SHA5120cd1c7762903fc3c64728a0a4a615a760ca1c2572b19bb103b859509f8ae8f6bd95ee705829907052e3e393a91369b04aaf13b3fee37d457e165ac912a8276ec
-
Filesize
6KB
MD590c8e763ca4aa7cf940d29bcfbd08497
SHA11c2de05e301b3aaf65fa674f309e6b956f8f01b0
SHA256edb0482faee2e3f7a95b6d044e37a8915894e9184321a05eb1dd258c5ca1f87b
SHA512c00a934435dbd7e1b5182e48b898c0913abb39d2831163b150ec81ad9ae2246bd52103ee1ecb742c34170221d4896f2cd4263ae9a1fb6893eb2835d7467bfd86
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5b77d77688e33b42336575d5d31ee785e
SHA1c99bcb17fafebddef59342cab4bd29e27c911f3e
SHA256681d21ab5b10475b9f1baca9fe08e6f334622bc64f647f0b88d949d6cbf162ab
SHA512866f9ccd3d6954783e38c23bc01bc7092db2bfdd99e22fa7f04713eff49fe957ba444297c279cd5ab13be69dfd5d15be69d8e733ebdb7328e5b28665aa104529
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD548a549d4bed45bfd4c6aa412fa6e82d1
SHA170e075570a7a6a937b485b8184d8ab9292a87745
SHA2568d97408e667127ea9dc2d1e264791e0ecef2ed4ed5c570b31fcc589b7f1fe1fb
SHA5127d4f49cc0a6f2af858692867fbecebfa4a1739a3c83069eba49e94f6429d7e9000799df4525c05f6a8e1ff83260f23cb73f23e21700cfc5e6234dcd27616c3f3