Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-09-2024 07:37
Static task
static1
Behavioral task
behavioral1
Sample
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe
Resource
win7-20240903-en
General
-
Target
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe
-
Size
1.8MB
-
MD5
3bcdaf8aa8a6f0ca2f613c8c14bc5a6e
-
SHA1
14e7cff2628e339009821bdb95673a40299149d0
-
SHA256
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
-
SHA512
d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579
-
SSDEEP
49152:GQlomvjK2/8k6ZJ8EBHJGCHONwoFCRUUoYk32nOg:15vjak6z84uszoYkGl
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
9b28a6324e.exe0533f04538.exe6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9b28a6324e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0533f04538.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
9b28a6324e.exe0533f04538.exe6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9b28a6324e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0533f04538.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0533f04538.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9b28a6324e.exe -
Executes dropped EXE 3 IoCs
Processes:
svoutse.exe9b28a6324e.exe0533f04538.exepid process 2752 svoutse.exe 672 9b28a6324e.exe 1956 0533f04538.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exe9b28a6324e.exe0533f04538.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 9b28a6324e.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 0533f04538.exe -
Loads dropped DLL 5 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exepid process 1724 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe 2752 svoutse.exe 2752 svoutse.exe 2752 svoutse.exe 2752 svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\0533f04538.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\0533f04538.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exe9b28a6324e.exe0533f04538.exepid process 1724 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe 2752 svoutse.exe 672 9b28a6324e.exe 1956 0533f04538.exe -
Drops file in Windows directory 1 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exe9b28a6324e.exe0533f04538.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b28a6324e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0533f04538.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exe9b28a6324e.exe0533f04538.exepowershell.exepid process 1724 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe 2752 svoutse.exe 672 9b28a6324e.exe 1956 0533f04538.exe 1032 powershell.exe 1032 powershell.exe 1032 powershell.exe 1032 powershell.exe 1032 powershell.exe 1032 powershell.exe 1032 powershell.exe 1032 powershell.exe 1032 powershell.exe 1032 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exefirefox.exedescription pid process Token: SeDebugPrivilege 1032 powershell.exe Token: SeDebugPrivilege 2360 firefox.exe Token: SeDebugPrivilege 2360 firefox.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exefirefox.exepid process 1724 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe 2360 firefox.exe 2360 firefox.exe 2360 firefox.exe 2360 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 2360 firefox.exe 2360 firefox.exe 2360 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exesvoutse.exepowershell.exefirefox.exefirefox.exefirefox.exedescription pid process target process PID 1724 wrote to memory of 2752 1724 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe svoutse.exe PID 1724 wrote to memory of 2752 1724 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe svoutse.exe PID 1724 wrote to memory of 2752 1724 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe svoutse.exe PID 1724 wrote to memory of 2752 1724 6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe svoutse.exe PID 2752 wrote to memory of 672 2752 svoutse.exe 9b28a6324e.exe PID 2752 wrote to memory of 672 2752 svoutse.exe 9b28a6324e.exe PID 2752 wrote to memory of 672 2752 svoutse.exe 9b28a6324e.exe PID 2752 wrote to memory of 672 2752 svoutse.exe 9b28a6324e.exe PID 2752 wrote to memory of 1956 2752 svoutse.exe 0533f04538.exe PID 2752 wrote to memory of 1956 2752 svoutse.exe 0533f04538.exe PID 2752 wrote to memory of 1956 2752 svoutse.exe 0533f04538.exe PID 2752 wrote to memory of 1956 2752 svoutse.exe 0533f04538.exe PID 2752 wrote to memory of 1032 2752 svoutse.exe powershell.exe PID 2752 wrote to memory of 1032 2752 svoutse.exe powershell.exe PID 2752 wrote to memory of 1032 2752 svoutse.exe powershell.exe PID 2752 wrote to memory of 1032 2752 svoutse.exe powershell.exe PID 1032 wrote to memory of 1404 1032 powershell.exe firefox.exe PID 1032 wrote to memory of 1404 1032 powershell.exe firefox.exe PID 1032 wrote to memory of 1404 1032 powershell.exe firefox.exe PID 1032 wrote to memory of 1404 1032 powershell.exe firefox.exe PID 1404 wrote to memory of 2360 1404 firefox.exe firefox.exe PID 1404 wrote to memory of 2360 1404 firefox.exe firefox.exe PID 1404 wrote to memory of 2360 1404 firefox.exe firefox.exe PID 1404 wrote to memory of 2360 1404 firefox.exe firefox.exe PID 1404 wrote to memory of 2360 1404 firefox.exe firefox.exe PID 1404 wrote to memory of 2360 1404 firefox.exe firefox.exe PID 1404 wrote to memory of 2360 1404 firefox.exe firefox.exe PID 1404 wrote to memory of 2360 1404 firefox.exe firefox.exe PID 1404 wrote to memory of 2360 1404 firefox.exe firefox.exe PID 1404 wrote to memory of 2360 1404 firefox.exe firefox.exe PID 1404 wrote to memory of 2360 1404 firefox.exe firefox.exe PID 1404 wrote to memory of 2360 1404 firefox.exe firefox.exe PID 1032 wrote to memory of 1876 1032 powershell.exe firefox.exe PID 1032 wrote to memory of 1876 1032 powershell.exe firefox.exe PID 1032 wrote to memory of 1876 1032 powershell.exe firefox.exe PID 1032 wrote to memory of 1876 1032 powershell.exe firefox.exe PID 1876 wrote to memory of 2564 1876 firefox.exe firefox.exe PID 1876 wrote to memory of 2564 1876 firefox.exe firefox.exe PID 1876 wrote to memory of 2564 1876 firefox.exe firefox.exe PID 1876 wrote to memory of 2564 1876 firefox.exe firefox.exe PID 1876 wrote to memory of 2564 1876 firefox.exe firefox.exe PID 1876 wrote to memory of 2564 1876 firefox.exe firefox.exe PID 1876 wrote to memory of 2564 1876 firefox.exe firefox.exe PID 1876 wrote to memory of 2564 1876 firefox.exe firefox.exe PID 1876 wrote to memory of 2564 1876 firefox.exe firefox.exe PID 1876 wrote to memory of 2564 1876 firefox.exe firefox.exe PID 1876 wrote to memory of 2564 1876 firefox.exe firefox.exe PID 1876 wrote to memory of 2564 1876 firefox.exe firefox.exe PID 2360 wrote to memory of 2112 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 2112 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 2112 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 1820 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 1820 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 1820 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 1820 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 1820 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 1820 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 1820 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 1820 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 1820 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 1820 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 1820 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 1820 2360 firefox.exe firefox.exe PID 2360 wrote to memory of 1820 2360 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe"C:\Users\Admin\AppData\Roaming\1000026000\9b28a6324e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:672 -
C:\Users\Admin\AppData\Local\Temp\1000030001\0533f04538.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\0533f04538.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.0.833057893\2123601484" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc50412b-eea7-4851-b374-f4ceeb3fdce7} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 1292 119f8658 gpu6⤵PID:2112
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.1.1411731309\1999267734" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1eb4d8da-e97d-4d40-b482-d325dac77416} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 1508 d6f858 socket6⤵PID:1820
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.2.1194689769\1622501604" -childID 1 -isForBrowser -prefsHandle 2100 -prefMapHandle 2096 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {767ad094-8e61-4a23-969c-d19bf055ad78} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 2112 1a8cbe58 tab6⤵PID:2744
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.3.1262022709\1766812275" -childID 2 -isForBrowser -prefsHandle 2908 -prefMapHandle 2900 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18cd27a5-b20c-41c1-8b63-335b793427c6} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 2920 1d34e458 tab6⤵PID:2180
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.4.1094851201\633886597" -childID 3 -isForBrowser -prefsHandle 3856 -prefMapHandle 3852 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2ecbe72-1768-4dda-8d54-b5b099f2e35c} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 3868 1ef88858 tab6⤵PID:1668
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.5.414274761\595020537" -childID 4 -isForBrowser -prefsHandle 3976 -prefMapHandle 3980 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15808894-e6d5-43d2-a061-7f533c06083d} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 3964 1e0d9d58 tab6⤵PID:1512
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.6.1285082113\1402058357" -childID 5 -isForBrowser -prefsHandle 4156 -prefMapHandle 4160 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39541fac-4c31-4813-bf74-c0126d1906c6} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 4144 1f4c0b58 tab6⤵PID:1164
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.7.295660010\118227672" -childID 6 -isForBrowser -prefsHandle 4188 -prefMapHandle 4192 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3c9b0dd-0878-4827-a640-d268a1760eb8} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 4056 221f3c58 tab6⤵PID:1672
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd5⤵
- Checks processor information in registry
PID:2564
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp
Filesize34KB
MD5163217a407c9128f918b6f7a648689c8
SHA1da5a70eab8e4a4e418829ee962d4196bfb8a371c
SHA256db94fe7344ba48ee5294a83a7f0ab4e4df421160c768d447fccff74b9c94badb
SHA5122e9171ef918d4b4d01c599cc7a1b4b37c7779939cbe801f22934228ba1933b55cbabc68e28d6983952c6898e990f89589cbd494dce7c73d691e0612c3bdd0754
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
1.7MB
MD52436f5bc4146385648a72a27897ab578
SHA1daf603434b49d4bf2866a3f53069845f05130fcb
SHA256aee2dcc810b97f1bd7809146f7f33887e806561329c0b6288ecb1d315e4f6740
SHA512e32cede58485391ee8621b939f28e7234095391ad67f944929b8475528f8a08f801d3997138c0935f40d17ec3e703d0d499e7427bcc570102636e1ea8cff2a92
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD51158fa23e2cb79c12771a096860feedf
SHA15fa9824b772a83abc0fa88eee5e8f8b100241aa8
SHA25694dea146e3d5ca7687593f14d53781b0982d71e5e9add593d466b20ee5f62489
SHA5123463b09e52fbc0c0fdf934fa4cf1fe2bb7f625492621ba8d612057364e001f050acb8af5f1161eaf0431a7e2a71594245443812fa15ecdd2e3300bc985f7b394
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\ede93fdb-8d67-4516-acc1-7bfd366da425
Filesize745B
MD550a5a2e694cfdef32db878af3cf23367
SHA1e08f0514393b93df11fa4506463c200e2a0ca5de
SHA25612b76883b221187bae10f0783ac2ad1ac89af70256c24a81c6ada69e7c6c9451
SHA512303852499329a32d00792ae517f140cd509a4e14744bf2db7d9b0f6f80b47fd5e8c832686df6b1e0247e5a481168d6f1f5801323656163b28f6402e706f6c2dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\fe2a9383-5d36-4a3a-a726-467bb3cd4241
Filesize11KB
MD54d39006fa2a5cc855218eadfb93a0264
SHA11eb9d80f34d9641d5cff420812e01bfddcf8bcbd
SHA256ce969f76d81f69bd8eb453da1a004b7a2102fcdeb1789e1c7f275581670c1187
SHA512432fb60602b43231cde9b9aa37de9da4d749bf09777c31ecd1d7b5833392df3b2cce42dcedeea5474aa232134562ccbdef700179addaab2ba0a0b45cfedf0e4a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5e643c38a8e05fc09201ff39b750df2a2
SHA1b791af1fc770f75c5ce4b0d3004f11e1fcf6f0ea
SHA25657a09953ac35489d75e96aaf365146c85f6fd12a69bde9f15eae6da2c18b2af9
SHA51228cc0b1425d1e7e7ef58914f5f983063c85bcfac4f361519a5aa04f4cd4596973c13c59b13b0e815c3efd45d72f81402a56e3612d844a24ea3c8f5006a433e5c
-
Filesize
7KB
MD5d64e540b17aded9e7c6b6fc16889bfe8
SHA1672b548b88b324849db5aa2fda9fd1f0ed92404e
SHA2567a0e73535037d58d74dded3a7366bf679ea3c0052c6a23520b4ce915d305cc1e
SHA5129bb45d940c5bddc2d546a903e8deb23d3731eab9edf339f3d23d4863cd75762d3becf8764d14a9c39b753f621f4b6d3ca5b01875aa88bc7add7574f5b7c4196e
-
Filesize
7KB
MD5390206db54bcf2a78c51343839c5bef6
SHA11480d214a9fc4a1c0e878b8c911e9de46d8945bf
SHA25670dc47a95281f8ecb30bac5b840b59562e4b7aaf8b840491934d5fd1483d8ebc
SHA512c1151b08e40c49e54dd357a4c9ed55e9ea3680953b19b743f7d5e4f0087bcb54b5e45702086f7bd408a543488f65f0ae6bccadc3c4305e2ef18cc5024e72f652
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5901af3ad1a9fc7fa6a4da4f36a7d5a3c
SHA16056411c46408be8023a5b0d39a05b748d457e90
SHA25679bda57b1d4447f1b4e2d0add80266175128cce57f1c99794e8417356690d244
SHA5120fb38ea16aec846c0c9a120482f0b43e7ee0628485854fa5f6d71ab912ac4740f516ad8fb97be5667e9c0e86368eb19c71b5d6405e4882cbb22febf3a88c9565
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5829a39c8fec89a9f44b0c94d63ab0e09
SHA1532fb843d278aedd43af11f4ea1cfc5ec67f17bb
SHA256be9984ea84b60e5fe6be5fe167fe8f7c24ee81827590a38f2a9efff8d233bc58
SHA51245a856bb22df15c66f21ae57dfb3cdb0c1fcfb2cc2c4a1fc56384452b90295354e84c910e8fda4a0a81373ead37a486386a8535070e2bade0f33954ef3dcfb59
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize208KB
MD5a361a149ad096005b52a465725de1549
SHA15187332b6de3f668dec70c90e5483dd91a987f18
SHA2569012608d9a4943c99c2c18496b453b5157554f9fd9a120f12a393707b89ebb1c
SHA5127bd6a3ac43755f294b2ecf3058e72a81d74af43facec1a9b69cfc0957947df84ce7cae79e199f3737a423d236ba52b9210115572194e077ffabe4df8460d1cd4
-
Filesize
1.8MB
MD53bcdaf8aa8a6f0ca2f613c8c14bc5a6e
SHA114e7cff2628e339009821bdb95673a40299149d0
SHA2566eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a
SHA512d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579