664555cf762648ba681ec342b9007d3d08a9c4e01754df5d350b81f6fb047585

Analysis

max time kernel
121s
max time network
155s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FF Logs Uploader.exe
Size

104.7MB
MD5

cf525fe3000d4315a3f2e612b30950b6
SHA1

ed337ff5d78282595c077ded9241236408cbfe43
SHA256

7678c37efb6461b9b33a31593451d0d4ee3b36702c0777ce382e8891aa4b85b1
SHA512

161cb70a9159721f27ffde7049f327ff8337393a68564d49863c4d7b7bf5dee42022a1b39bf3847a29a2c72641b42cc131ae90233ef73a34293277f09de0dc8a
SSDEEP

1572864:UgMS3hWvz1iVquRGZkp2BcshFEe+xQxQ49UD3XMzS/g1Y7cZVLhHzLuu2eSia4Z9:UgM5HOxQxf9UD/o1QhN+wh1n6

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\Geo\Nation	FF Logs Uploader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\Geo\Nation	FF Logs Uploader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\Geo\Nation	FF Logs Uploader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\Geo\Nation	FF Logs Uploader.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

FF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FF Logs Uploader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FF Logs Uploader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FF Logs Uploader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FF Logs Uploader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FF Logs Uploader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FF Logs Uploader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FF Logs Uploader.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

FF Logs Uploader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	FF Logs Uploader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	FF Logs Uploader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	FF Logs Uploader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	FF Logs Uploader.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280	FF Logs Uploader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e264b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	FF Logs Uploader.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

FF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exeFF Logs Uploader.exe

pid	process
572	FF Logs Uploader.exe
1656	FF Logs Uploader.exe
2284	FF Logs Uploader.exe
2300	FF Logs Uploader.exe
2736	FF Logs Uploader.exe
2736	FF Logs Uploader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FF Logs Uploader.exe

description	pid	process	target process
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2880	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 572	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 572	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 572	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 572	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 1656	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 1656	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 1656	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 1656	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe
PID 2736 wrote to memory of 2804	2736	FF Logs Uploader.exe	FF Logs Uploader.exe

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe" --type=gpu-process --field-trial-handle=1020,16152209457915658972,10435299784329789198,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1036 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
PID:2880

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1020,16152209457915658972,10435299784329789198,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1512 /prefetch:8
2⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:572

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe" --type=renderer --disable-background-timer-throttling --field-trial-handle=1020,16152209457915658972,10435299784329789198,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration --webview-tag --no-sandbox --no-zygote --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1644 /prefetch:1
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe" --type=gpu-process --field-trial-handle=1020,16152209457915658972,10435299784329789198,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1036 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
PID:2804

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe" --type=renderer --disable-background-timer-throttling --field-trial-handle=1020,16152209457915658972,10435299784329789198,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Temp\resources\app.asar\parser-ipc.js" --enable-remote-module --background-color=#fff --guest-instance-id=2 --enable-blink-features --disable-blink-features --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2284

C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe
"C:\Users\Admin\AppData\Local\Temp\FF Logs Uploader.exe" --type=renderer --disable-background-timer-throttling --field-trial-handle=1020,16152209457915658972,10435299784329789198,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Temp\resources\app.asar\parser-ipc.js" --enable-remote-module --background-color=#fff --guest-instance-id=2 --enable-blink-features --disable-blink-features --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1668 /prefetch:1
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7f1e116fee732468e7c41b587d12130

SHA1
021a420936cd8945e59e55b92a4e831e9798cf69

SHA256
5847be4d1780913accb34659e482c76052f25586f28068743419752a27a00f5b

SHA512
a5e6be450c6734e26927f3b20666e27e560f4405c60f0eed3610dbcb235ff57e638eee566ad766ea6211af38bd7927453e2734dd5c952fa62b223deaa8815c7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa4c9f4d292121042d8eda33aae12896

SHA1
bc23240ebb0dc35d5d02eefb81599da6a5ed1803

SHA256
39ac0dac56f9ad9df3d09df11283a06587bb2ac2d4b9496905d0f7bef90b9f90

SHA512
7b309135982167719e8e76c5a04afeaa4c9a0e44b205c78512877e8c7a2014b278dbb7ba7eb73c9415eda4520b5929be8c448d9432fbd4107755539160628714

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b755a1d8546be8122f7b07720ad1c734

SHA1
07cc30d38ae9b199dcef3962d19f073e124203f4

SHA256
6fcae8cef3e83e9ac4278287d2537422911ca11a2fab9071ab105b962c44347e

SHA512
819c882676e683ab16aea9ec186eadedcf5bbdfedc33c85bbbc2b82420dedfbc87790164a2b019046ed90c3229c930bf97d0d394f01dd79b729c8b806604c977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a7421bf922ff99f8666b4396e8318dd

SHA1
0c505fb1993366c4487ae69af69a5e9931a4b382

SHA256
3dd03a31dc950f1b712cf60a584ba1da4c1113921c8d08a57662030344786a27

SHA512
61698d844a6cc3a25416bf51911423c4dffc6be60ae955b0de55c080dac0589cf75a540e96bd9d2262bdd108c519e7995359c150b62ecbe542220d8b90ce7ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab91A7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9227.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\fflogs\8c592bd4-7e41-4dad-b9ef-8a663080b6c4.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\fflogs\Cache\f_000001

Filesize
441KB

MD5
a78ad14e77147e7de3647e61964c0335

SHA1
cecc3dd41f4cea0192b24300c71e1911bd4fce45

SHA256
0d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa

SHA512
dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101

Download Submit
C:\Users\Admin\AppData\Roaming\fflogs\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
0e8dc83debbb6d55b8bae08413261eb4

SHA1
53ac94741102b73450b5db5c026f4a1e2b6e3185

SHA256
da442e537441f4873c13edc5cc4640e8a0b5ad15da97475c23aa6add5ec9498f

SHA512
014c625bf97511709dddf4a55c7e524ee9ad3db643de0b4aa8fc796b6b7a84b06740ed6e76e2cafbac43bf4ac1ab8acf4b8d03e5daac0c77635023bb3e257749

Download Submit
C:\Users\Admin\AppData\Roaming\fflogs\settings.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/2880-0-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download