Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-09-2024 20:31
Static task
static1
Behavioral task
behavioral1
Sample
3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe
Resource
win7-20240903-en
General
-
Target
3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe
-
Size
1.8MB
-
MD5
260bb7213697b9eab79cfff7cd5bebe1
-
SHA1
350b664626ee1dcf9fd7bca4cd04a87a4c11adf4
-
SHA256
3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712
-
SHA512
2d8bb03f5b4ed992902aefa7535add761f74e981791bc9058d30bda43b53f92dc86d6e84e0703add200ba2987aa15de188f9eb493d4c8ecc1058094efbbaed99
-
SSDEEP
24576:Od3g80i4dff2KOXpXPqQw6hs37gIQmMYhdY5eGFvsG7C7TwbQgYhLe+XEM:OKvfzgp7wEkggMYhEvzswbQgIB9
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exesvoutse.exec843d0f93f.exe3957298b06.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c843d0f93f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3957298b06.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exesvoutse.exec843d0f93f.exe3957298b06.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c843d0f93f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c843d0f93f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3957298b06.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3957298b06.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe -
Executes dropped EXE 3 IoCs
Processes:
svoutse.exec843d0f93f.exe3957298b06.exepid process 2744 svoutse.exe 2488 c843d0f93f.exe 2860 3957298b06.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exesvoutse.exec843d0f93f.exe3957298b06.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine c843d0f93f.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine 3957298b06.exe -
Loads dropped DLL 5 IoCs
Processes:
3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exesvoutse.exepid process 2060 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe 2744 svoutse.exe 2744 svoutse.exe 2744 svoutse.exe 2744 svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\3957298b06.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000030001\\3957298b06.exe" svoutse.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exesvoutse.exec843d0f93f.exe3957298b06.exepid process 2060 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe 2744 svoutse.exe 2488 c843d0f93f.exe 2860 3957298b06.exe -
Drops file in Windows directory 1 IoCs
Processes:
3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exedescription ioc process File created C:\Windows\Tasks\svoutse.job 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exesvoutse.exec843d0f93f.exepowershell.exe3957298b06.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c843d0f93f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3957298b06.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exesvoutse.exec843d0f93f.exe3957298b06.exepowershell.exepid process 2060 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe 2744 svoutse.exe 2488 c843d0f93f.exe 2860 3957298b06.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exefirefox.exedescription pid process Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 1244 firefox.exe Token: SeDebugPrivilege 1244 firefox.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exefirefox.exepid process 2060 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe 1244 firefox.exe 1244 firefox.exe 1244 firefox.exe 1244 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 1244 firefox.exe 1244 firefox.exe 1244 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exesvoutse.exepowershell.exefirefox.exefirefox.exedescription pid process target process PID 2060 wrote to memory of 2744 2060 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe svoutse.exe PID 2060 wrote to memory of 2744 2060 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe svoutse.exe PID 2060 wrote to memory of 2744 2060 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe svoutse.exe PID 2060 wrote to memory of 2744 2060 3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe svoutse.exe PID 2744 wrote to memory of 2488 2744 svoutse.exe c843d0f93f.exe PID 2744 wrote to memory of 2488 2744 svoutse.exe c843d0f93f.exe PID 2744 wrote to memory of 2488 2744 svoutse.exe c843d0f93f.exe PID 2744 wrote to memory of 2488 2744 svoutse.exe c843d0f93f.exe PID 2744 wrote to memory of 2860 2744 svoutse.exe 3957298b06.exe PID 2744 wrote to memory of 2860 2744 svoutse.exe 3957298b06.exe PID 2744 wrote to memory of 2860 2744 svoutse.exe 3957298b06.exe PID 2744 wrote to memory of 2860 2744 svoutse.exe 3957298b06.exe PID 2744 wrote to memory of 2468 2744 svoutse.exe powershell.exe PID 2744 wrote to memory of 2468 2744 svoutse.exe powershell.exe PID 2744 wrote to memory of 2468 2744 svoutse.exe powershell.exe PID 2744 wrote to memory of 2468 2744 svoutse.exe powershell.exe PID 2468 wrote to memory of 772 2468 powershell.exe firefox.exe PID 2468 wrote to memory of 772 2468 powershell.exe firefox.exe PID 2468 wrote to memory of 772 2468 powershell.exe firefox.exe PID 2468 wrote to memory of 772 2468 powershell.exe firefox.exe PID 2468 wrote to memory of 2204 2468 powershell.exe firefox.exe PID 2468 wrote to memory of 2204 2468 powershell.exe firefox.exe PID 2468 wrote to memory of 2204 2468 powershell.exe firefox.exe PID 2468 wrote to memory of 2204 2468 powershell.exe firefox.exe PID 772 wrote to memory of 1244 772 firefox.exe firefox.exe PID 772 wrote to memory of 1244 772 firefox.exe firefox.exe PID 772 wrote to memory of 1244 772 firefox.exe firefox.exe PID 772 wrote to memory of 1244 772 firefox.exe firefox.exe PID 772 wrote to memory of 1244 772 firefox.exe firefox.exe PID 772 wrote to memory of 1244 772 firefox.exe firefox.exe PID 772 wrote to memory of 1244 772 firefox.exe firefox.exe PID 772 wrote to memory of 1244 772 firefox.exe firefox.exe PID 772 wrote to memory of 1244 772 firefox.exe firefox.exe PID 772 wrote to memory of 1244 772 firefox.exe firefox.exe PID 772 wrote to memory of 1244 772 firefox.exe firefox.exe PID 772 wrote to memory of 1244 772 firefox.exe firefox.exe PID 1244 wrote to memory of 1356 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1356 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1356 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe PID 1244 wrote to memory of 1228 1244 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe"C:\Users\Admin\AppData\Local\Temp\3a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Roaming\1000026000\c843d0f93f.exe"C:\Users\Admin\AppData\Roaming\1000026000\c843d0f93f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\1000030001\3957298b06.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\3957298b06.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.0.902330568\769287336" -parentBuildID 20221007134813 -prefsHandle 1268 -prefMapHandle 1260 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {122b8e6d-26ef-4199-87c5-85438defc702} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 1368 10106858 gpu6⤵PID:1356
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.1.39413373\1161793745" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b60517e-1910-4bd5-8732-b8f300634c65} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 1548 ecf9858 socket6⤵PID:1228
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.2.1339417322\1153927307" -childID 1 -isForBrowser -prefsHandle 2056 -prefMapHandle 2052 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb6a9a4c-8ccb-4da1-9a24-4bb7f86e7dce} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 2068 1a18b558 tab6⤵PID:1956
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.3.449491899\1559449417" -childID 2 -isForBrowser -prefsHandle 2884 -prefMapHandle 2880 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c4cb166-0a44-4458-a0a7-313d6520c646} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 2896 1d5a4858 tab6⤵PID:2628
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.4.982959049\652074832" -childID 3 -isForBrowser -prefsHandle 3848 -prefMapHandle 3844 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48de82b8-c3dd-4785-90ab-3457d84c4a53} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 3864 209cee58 tab6⤵PID:1140
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.5.1056610681\1680625991" -childID 4 -isForBrowser -prefsHandle 3988 -prefMapHandle 3992 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1956f77f-cb2b-4d71-b500-b1ecc28b22da} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 3976 20a85e58 tab6⤵PID:772
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.6.323323448\1446600618" -childID 5 -isForBrowser -prefsHandle 4168 -prefMapHandle 4172 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee47ddee-7d0f-4d18-99c7-e33664499059} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 4156 20a88858 tab6⤵PID:1788
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1244.7.1096542413\425457389" -childID 6 -isForBrowser -prefsHandle 3880 -prefMapHandle 3796 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f21dd721-bb97-4ccd-a027-7fe9eec6bf4e} 1244 "\\.\pipe\gecko-crash-server-pipe.1244" 3780 212e8558 tab6⤵PID:2480
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Checks processor information in registry
PID:2204
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o97f221x.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD538bcd2e1a8bcc725d4362e6e63045175
SHA147f9fab3e5b1cd7548732938a910ef744f6c2dbe
SHA2564d3580340fda19ae4b462b2a15ed615ef151e646eb248133d88457d1f537277c
SHA512f1ddcd3dd041cae34d0d9eed0f3f0a12dc3bb840c2b751ce278deebeb1a72438ae1ff3c67aa013b71252fb360669c3f90be60c0314453636c76c98b94daf89dc
-
Filesize
2KB
MD5e05e8f072b373beafe27cc11d85f947c
SHA11d6daeb98893e8122b8b69287ebd9d43f3c6138e
SHA256717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f
SHA512b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
1.7MB
MD50f0ef1482985e6cf9403f782e6ba6d10
SHA1d7b44e16fc1eb2845b3db09a4fec9ba66dfcebe4
SHA256cc65a55c66501ede8db7f899410180caa449102982130e4ed48a45909156e3c1
SHA5126b484bcbba919e8c2dfc86f703196adbe065c04b93d74d47cc63f7df2e1224a62c854b5b5c03b235c48f4db3a9449d59c9a6dbed832f2e0c0f0fccf739b0a794
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5d16f597b684f5e2473d9cad14767e654
SHA16149ff11d8b4fe5330c1db93a7698a8b8370977e
SHA256f17eda55cf66387ef371681e70c807fc3c42d39e195c61e6d61151ce2d5d6eaa
SHA51286ea3304407df5b0ad5c315c56cc860da369c6b4c1b6a17475321f038dda5e573733986cf3b01562b33ecbfcafc80d6e5bb9e8c40d064c340c7318f78963b6aa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\pending_pings\270a1b65-df1c-4ac6-8d2a-afc68242ef76
Filesize745B
MD534e0ab64ffb8ce6d9e2a6a19547d061b
SHA1d5830eda76dc0d920eaa6dab2d4283d4ac11347d
SHA2564bb13a89689c409d640621c4ca39cbdcc324742a20345427fad2710104da8d8f
SHA5127d65954c8686ac125a8b5d2c2d8e5c6adfed57e9ffbf00dede33424cc223357511daad113c215d76270a48de84bf2683ebc8881582ff9a2e2a08d2167b4fe493
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\pending_pings\80439822-f62e-436f-9415-3e22a2123227
Filesize11KB
MD5323834e0473fcb97462fb2121849d732
SHA1f3990b932fd441505df5bfa9655d6857b85e0ce2
SHA256ca9c552a7065e27eb94110819667017fa8b4fcb6d65d9c42d4e719b6e5b8d780
SHA512da4041abbd798fc98f350a1df68b37fa3ef81a44a488734f4c8f2c02f756c8767cb30b1f9cac8ce358ad7d572c1c4ce043df09f2a6f635a67162b6f233ca735f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD53a3534be8faedc8a84a1a37128995737
SHA1f7ff2eb920629944183fb6bee6f76d4d7cece590
SHA25619daea493a08b133bbd402aab3eb792b98de35d7b5fd0b9b51a9972b786052ea
SHA512f2a77403e396e80078e36e340450a075f3369ad2ada3788926ec9b02e35aaa3e5eafe9d58a0809814ab1d176257770c3a5a16318bc04893d4c79fdf20de1f236
-
Filesize
6KB
MD59027913ffb8b6e666564cf50d7228c7e
SHA1a5ea0fcefe087b5dada0e0e77aa04b580d6da6c7
SHA256e99fc42e17d6f9efef7b6b75c4bc5679b3b9ecb3c0a5c3813b2fbef74678a07a
SHA5123e081a22146738a2105faf8d822ae33f8179959691dfbbc61c159ef233fb2b3974e07158e1e60c8d12ed66eb7678526de7c06e0c831bd317a031195db54be824
-
Filesize
6KB
MD5126a94dda766dfebcb9eb68825a2ef27
SHA150115a42a446c8e83645548835fb7cd3bc41ed02
SHA2562906ecafa7d348b345e0ba884a0a1415dfae9be2f6f4c46ce018730708925bfc
SHA512dadebe987a2a024592ee57363e50fb8c30d9cf7c89cf707cebad9c028f94b41a7bb9363a76f6d0b250c99269397d1e39655b91caa9341a7d226192893cda273b
-
Filesize
6KB
MD531b55bfbe3a94836c55da7d276faba6d
SHA156cc07bf9f2f8deadd518b13b9dc958b47e9eb47
SHA25635f20e8c6967c00ac3d09785d7c910260c831a8ba4618dc49d452ffa3b928dda
SHA512246395503ea8ffa835644b12defa0e194627c6a2b3022397f953758e213334474bea7febb8c13e10e84cf9922865490f27c897426737665aae3f85791d584e88
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5cd0d0a5d8f16f4428f9cda2125cba6ca
SHA145e9c345135c4caa91f73334f6a388eda53434d3
SHA256485158f3dbdc9724c77900bfaa41329b28002d8e78bcc13be88c06ef9d961b8e
SHA5123f4673b59355612d984983d7e9847450e653c2680d22d65a235837ad9ace2beb91f9dc2fa58cff13b5a0e3c15f5757e85aadfbeadd26aad3c3523f671cb35bdb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5df1bc7b33eadc11d78041df25b7abeaa
SHA13323246dfdea08942afe86c0af25538937a303a1
SHA2567087b6e093a951803ccf94bdf5c11835887ca5caf15a62629e32d000311a5009
SHA5124112dc02dcf030cb833f911e6bc84f1ddfacb28cd859fdf1b0175f516b535b8df0ac5073b338f3f15abaa1d7697b531e5042e1661311e0761b1193009b878583
-
Filesize
1.8MB
MD5260bb7213697b9eab79cfff7cd5bebe1
SHA1350b664626ee1dcf9fd7bca4cd04a87a4c11adf4
SHA2563a5bba257d06af78b46d980fc2a285026c354056c4cbaaa5a4aa477d96a13712
SHA5122d8bb03f5b4ed992902aefa7535add761f74e981791bc9058d30bda43b53f92dc86d6e84e0703add200ba2987aa15de188f9eb493d4c8ecc1058094efbbaed99