Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
50s -
max time network
55s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
27/01/2025, 16:29
Static task
static1
General
-
Target
Setuper_25.01.exe
-
Size
67.7MB
-
MD5
626f51544f775502a39adc747c31032c
-
SHA1
b4b66766714ab53be82143ab81424b98a8cbac64
-
SHA256
35d601f9d756bcc17a3b1311306eac3bf859c891feca5a218fdf220dcdc643ff
-
SHA512
6871ee61a12d692bd535125cdb101f1b8265e7707083070e29c189c69cdccc238c8659deb3995e4245bd1000bf9995caa783443102ffd7bc2754d8c70f5313e0
-
SSDEEP
393216:87eLd/nhouIETpkFh8KbodSLFBJbHRlLieEY9qIjAgOWT2ZR0HYaqz1T67bGjeBm:LLd/WbbMWlLi6TjD4FeBgriZApI/Bi
Malware Config
Extracted
vidar
https://t.me/sc1phell
https://steamcommunity.com/profiles/76561199819539662
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Signatures
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral1/memory/1072-98-0x00000000048F0000-0x0000000004912000-memory.dmp family_vidar_v7 behavioral1/memory/1072-99-0x00000000048F0000-0x0000000004912000-memory.dmp family_vidar_v7 behavioral1/memory/1072-97-0x00000000048F0000-0x0000000004912000-memory.dmp family_vidar_v7 -
Vidar family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1548 powershell.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 16 4836 Setuper_25.01.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation Setuper_25.01.exe Key value queried \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation lem.exe -
Executes dropped EXE 2 IoCs
pid Process 2544 lem.exe 1072 Conservation.com -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2204 tasklist.exe 3480 tasklist.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\PosBdsm lem.exe File opened for modification C:\Windows\CemeteryAcknowledged lem.exe File opened for modification C:\Windows\DisplaysHumanitarian lem.exe File opened for modification C:\Windows\LimeSamsung lem.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conservation.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1548 powershell.exe 1548 powershell.exe 1072 Conservation.com 1072 Conservation.com 1072 Conservation.com 1072 Conservation.com 1072 Conservation.com 1072 Conservation.com -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1548 powershell.exe Token: SeIncreaseQuotaPrivilege 1548 powershell.exe Token: SeSecurityPrivilege 1548 powershell.exe Token: SeTakeOwnershipPrivilege 1548 powershell.exe Token: SeLoadDriverPrivilege 1548 powershell.exe Token: SeSystemProfilePrivilege 1548 powershell.exe Token: SeSystemtimePrivilege 1548 powershell.exe Token: SeProfSingleProcessPrivilege 1548 powershell.exe Token: SeIncBasePriorityPrivilege 1548 powershell.exe Token: SeCreatePagefilePrivilege 1548 powershell.exe Token: SeBackupPrivilege 1548 powershell.exe Token: SeRestorePrivilege 1548 powershell.exe Token: SeShutdownPrivilege 1548 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeSystemEnvironmentPrivilege 1548 powershell.exe Token: SeRemoteShutdownPrivilege 1548 powershell.exe Token: SeUndockPrivilege 1548 powershell.exe Token: SeManageVolumePrivilege 1548 powershell.exe Token: 33 1548 powershell.exe Token: 34 1548 powershell.exe Token: 35 1548 powershell.exe Token: 36 1548 powershell.exe Token: SeDebugPrivilege 3480 tasklist.exe Token: SeDebugPrivilege 2204 tasklist.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 1072 Conservation.com 1072 Conservation.com 1072 Conservation.com 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe -
Suspicious use of SendNotifyMessage 43 IoCs
pid Process 1072 Conservation.com 1072 Conservation.com 1072 Conservation.com 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe 1596 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1596 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4836 wrote to memory of 1548 4836 Setuper_25.01.exe 81 PID 4836 wrote to memory of 1548 4836 Setuper_25.01.exe 81 PID 4836 wrote to memory of 2544 4836 Setuper_25.01.exe 88 PID 4836 wrote to memory of 2544 4836 Setuper_25.01.exe 88 PID 4836 wrote to memory of 2544 4836 Setuper_25.01.exe 88 PID 2544 wrote to memory of 3724 2544 lem.exe 90 PID 2544 wrote to memory of 3724 2544 lem.exe 90 PID 2544 wrote to memory of 3724 2544 lem.exe 90 PID 3724 wrote to memory of 3480 3724 cmd.exe 92 PID 3724 wrote to memory of 3480 3724 cmd.exe 92 PID 3724 wrote to memory of 3480 3724 cmd.exe 92 PID 3724 wrote to memory of 4344 3724 cmd.exe 93 PID 3724 wrote to memory of 4344 3724 cmd.exe 93 PID 3724 wrote to memory of 4344 3724 cmd.exe 93 PID 3724 wrote to memory of 2204 3724 cmd.exe 94 PID 3724 wrote to memory of 2204 3724 cmd.exe 94 PID 3724 wrote to memory of 2204 3724 cmd.exe 94 PID 3724 wrote to memory of 4860 3724 cmd.exe 95 PID 3724 wrote to memory of 4860 3724 cmd.exe 95 PID 3724 wrote to memory of 4860 3724 cmd.exe 95 PID 3724 wrote to memory of 1456 3724 cmd.exe 96 PID 3724 wrote to memory of 1456 3724 cmd.exe 96 PID 3724 wrote to memory of 1456 3724 cmd.exe 96 PID 3724 wrote to memory of 1572 3724 cmd.exe 97 PID 3724 wrote to memory of 1572 3724 cmd.exe 97 PID 3724 wrote to memory of 1572 3724 cmd.exe 97 PID 3724 wrote to memory of 2988 3724 cmd.exe 100 PID 3724 wrote to memory of 2988 3724 cmd.exe 100 PID 3724 wrote to memory of 2988 3724 cmd.exe 100 PID 3724 wrote to memory of 2976 3724 cmd.exe 101 PID 3724 wrote to memory of 2976 3724 cmd.exe 101 PID 3724 wrote to memory of 2976 3724 cmd.exe 101 PID 3724 wrote to memory of 2820 3724 cmd.exe 102 PID 3724 wrote to memory of 2820 3724 cmd.exe 102 PID 3724 wrote to memory of 2820 3724 cmd.exe 102 PID 3724 wrote to memory of 1072 3724 cmd.exe 103 PID 3724 wrote to memory of 1072 3724 cmd.exe 103 PID 3724 wrote to memory of 1072 3724 cmd.exe 103 PID 3724 wrote to memory of 3040 3724 cmd.exe 104 PID 3724 wrote to memory of 3040 3724 cmd.exe 104 PID 3724 wrote to memory of 3040 3724 cmd.exe 104 PID 4964 wrote to memory of 1596 4964 firefox.exe 117 PID 4964 wrote to memory of 1596 4964 firefox.exe 117 PID 4964 wrote to memory of 1596 4964 firefox.exe 117 PID 4964 wrote to memory of 1596 4964 firefox.exe 117 PID 4964 wrote to memory of 1596 4964 firefox.exe 117 PID 4964 wrote to memory of 1596 4964 firefox.exe 117 PID 4964 wrote to memory of 1596 4964 firefox.exe 117 PID 4964 wrote to memory of 1596 4964 firefox.exe 117 PID 4964 wrote to memory of 1596 4964 firefox.exe 117 PID 4964 wrote to memory of 1596 4964 firefox.exe 117 PID 4964 wrote to memory of 1596 4964 firefox.exe 117 PID 1596 wrote to memory of 1204 1596 firefox.exe 118 PID 1596 wrote to memory of 1204 1596 firefox.exe 118 PID 1596 wrote to memory of 1204 1596 firefox.exe 118 PID 1596 wrote to memory of 1204 1596 firefox.exe 118 PID 1596 wrote to memory of 1204 1596 firefox.exe 118 PID 1596 wrote to memory of 1204 1596 firefox.exe 118 PID 1596 wrote to memory of 1204 1596 firefox.exe 118 PID 1596 wrote to memory of 1204 1596 firefox.exe 118 PID 1596 wrote to memory of 1204 1596 firefox.exe 118 PID 1596 wrote to memory of 1204 1596 firefox.exe 118 PID 1596 wrote to memory of 1204 1596 firefox.exe 118 PID 1596 wrote to memory of 1204 1596 firefox.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setuper_25.01.exe"C:\Users\Admin\AppData\Local\Temp\Setuper_25.01.exe"1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Users\Admin\AppData\Local\Temp\lem.exe"C:\Users\Admin\AppData\Local\Temp\lem.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Petition Petition.cmd & Petition.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"4⤵
- System Location Discovery: System Language Discovery
PID:4344
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"4⤵
- System Location Discovery: System Language Discovery
PID:4860
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7834694⤵
- System Location Discovery: System Language Discovery
PID:1456
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Virtue4⤵
- System Location Discovery: System Language Discovery
PID:1572
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "valuable" Essentials4⤵
- System Location Discovery: System Language Discovery
PID:2988
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 783469\Conservation.com + Sonic + Mails + Wool + Required + Ge + Lenders + Nearly + Wires + Nut + Peaceful 783469\Conservation.com4⤵
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Ecological + ..\Hour + ..\Centres + ..\Chairman R4⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\783469\Conservation.comConservation.com R4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1072
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
PID:3040
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3208
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1900 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 26929 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d8a11f3-88cb-4d25-b19a-1b44aaae56ca} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" gpu3⤵PID:1204
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 26807 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e9dc3be-5da4-4a11-b9cc-1008faf142aa} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" socket3⤵PID:4532
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3012 -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 3084 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67adcc2a-9d2a-4240-a774-7de12f485627} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab3⤵PID:2776
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3104 -childID 2 -isForBrowser -prefsHandle 3332 -prefMapHandle 3012 -prefsLen 27873 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd0ca21d-7dcb-418b-9a07-35b5c851d532} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab3⤵PID:2420
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4036 -childID 3 -isForBrowser -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 32181 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3effe1e-dc85-4969-a8cc-595e208902fe} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab3⤵PID:1224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2732 -prefMapHandle 2728 -prefsLen 32181 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90874fd2-2594-4304-b54d-0b6e6b7997d1} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" utility3⤵PID:5576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 4 -isForBrowser -prefsHandle 5704 -prefMapHandle 5700 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a86ec9d-0cfd-40e4-8f7f-2f0213ca33c4} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab3⤵PID:5260
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5932 -childID 5 -isForBrowser -prefsHandle 5916 -prefMapHandle 5912 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f436b187-019c-4bc0-88df-1c7af2e19b34} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab3⤵PID:5272
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5116 -childID 6 -isForBrowser -prefsHandle 6060 -prefMapHandle 6064 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fcf92f2-4816-4747-ac9c-39b66988cae5} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" tab3⤵PID:5292
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:4480
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
PID:1880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dg3cjlpy.default-release\activity-stream.discovery_stream.json
Filesize21KB
MD5d84aeb7d73facf324f8a0bab734bb07c
SHA147eeff3357594cb1cda722a041a7f1ce0d9796c2
SHA2563606363a25159fdd4d50e69a15f3bfc59c09db92a1a3211f795a40be67811d4a
SHA512125120a050d3b54de4ef6fe9e8591b72c149cef0fb3ed0ba1d090e5f15b3d85d9c3e8bb914e0a2a56bf18b3d2a2c79347ce9b0c5377a4a52ef24292767602c3c
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
255KB
MD58a64e658d19ea3dc9bf80cdcc864972a
SHA1ea0c7ceeb361204b9036a82bed40e97c61288394
SHA256c3b5a68164b18e32d6e8c1e51c3ea070dfc288a3910e747f9d93b2647be5e7c3
SHA512ea92d511fc457021c4899e05f2ed2e17b704289bcef078464d4f50d788822c2362d1e1dcab31103eb6fd35b03d80b064680dc8d3d8a65b3e92bb57f6ab6f68ef
-
Filesize
87KB
MD55e828bc1bbef4e2c13a811838b1692e0
SHA1775b0ea6d2188b2aa2be9d2d9ea7f860193ba690
SHA2564b08481824e13638d115a9de0ea1ff1719830afa384148b437951dcf59494637
SHA5120761df75b34e5ca26ebebfcd4ddde0ffbd0321548abffa570c9da2c41292d291434c3325d2fe9d78f5ee77566309aca4e9f570a96848f29f0d748a8784a08b9a
-
Filesize
22KB
MD5b0cb29f7294d79b824ce3e534d7a423b
SHA1caf7b1c887efa070f4f2b16793477f6a645c122f
SHA2561fad01f2f9ea15426b4b4326b2881910457c552c4e94e487965c4b195e0eda4b
SHA512552ae4ac4cc9104c5feec6f65ca2a06e05349c5b335db8e0de2f5c9fea5a5809844484ef425fd234d4c0c1e372aa491942796acdbf62c7da52a64bfa072ba4ba
-
Filesize
86KB
MD5d934eccb0198d5ab9f93ffeb46a8ce7d
SHA17d91992e152891c9995c58b290c9f54808955d71
SHA2560bc1959a7d9c96348954cb358353717ca97c997afc646b4c06b2132bb9ab98a9
SHA512cae1819ae1d2bc1e64f8615d67dd4b745a45e167a67ed36954482aaefe7e6da830900474e4aabf205e4476d117d7a3ac3e706e341a4f67f51f5ec817f56f8179
-
Filesize
358B
MD55a44e4ddf3c44f3eaf21d04a4ec6c643
SHA150e6311b726a8ddc4df7c6ab81381d98ae02ec1f
SHA2567c899b76e4d97d45b3f295dee7155666f4bc4e87f428177f7824daa18ff1a4c3
SHA51207442aad51ea8ea25160c06ad358f2e4a972d988209b5f22b7cf1cf53f3c0b91e0d4ef31af19f22b0cb66a9dbd0cd73072a07376ae37a3b7c718bbbadace6cc7
-
Filesize
63KB
MD5090166997fd0d381fa80dc73911e597f
SHA1f64b01878905c077ce69311f609a63770bec15d6
SHA256bf785fbb7106b4e937f0367849aafb7b70ed3169bfcc15d706f5397bbe045f24
SHA512849d51aa48f391b3dfc81a406af0c08da55b4d9184cc3c11d67d55beaceff9c98bdd7214b6770814bed574e08a90d18c500aef1a092a255084c84c712fc1310a
-
Filesize
60KB
MD532fec74db697f0c37390f9f4149a6b03
SHA13035eaa44d2bfbc64c7d31800709ac582808cf1b
SHA256b914c7e55e135d60aabe7b65a78e4102f449fb3074dbea2677592c618189dc69
SHA5121d5c0fac2be6fc8db7b07c0a1ff769592b296013a0e0f29cf73b32cb3f197fcde636b52dd9fe4b591b15f34ed3c15782e6c6a7a3fde2d3efc23bd61326584166
-
Filesize
133KB
MD53aeebd18ec137a855306b216c96ae737
SHA1031dd4a37bcbecc9067b2063533596314cece50d
SHA256d99df8d51ad3c570201d09fb9fe7e50309ce404242e715178d7870d5a79b63f3
SHA512e584129a61015bbd7ce1f9f7de75ee9e008808f46178d1a79ad8ce9facfaa4385ac0eaf5687fe80e9935eb2d5ab8a587920e99bf17ca730a48ccbdfb79fe85d6
-
Filesize
88KB
MD58aa8c75e2cd937853222c919aae7b61b
SHA10aeddb158527ab7abe80c054e4ce9e2941b34ee6
SHA256020b68ea9a935f644f1018f3940523909183f9c40c236762a7ff2211c61c55ab
SHA512032eac3885d5de955c1a1b2194d832e83f96d0127f22efea395fe05ce6489c7f3bead47dd96f79b5ef55b7f7e514d48c6a46d77410095fe9f13296f09ce0f3ba
-
Filesize
89KB
MD531e7d940c03cf59d32d7f76f83343f3b
SHA1ec7eec71e1893e004ea901b8b39a456cee9fdeb2
SHA25608894d3ffb329df8f28fff01cb9dadbc3ab8e73bca4ead2f62e1c48d49ded546
SHA5128a72257ee7672f1c87005fa7a54fb07f77f5f07df59fe74c89e7326c5b2488e70afcb8acb17e39f0c9b3d59e333624bb8d124b2ca82127d7befda2853d12905b
-
Filesize
103KB
MD5ad3c9ca5d7b3829b261492045496bab2
SHA1db2e35f065cb4575d0fcc904e5cb881629120b3a
SHA2563e2280923af87a99dc0b1c889405963d5efc05ef5d59f6fbbb61262905887b70
SHA5128dbad25fe0a43ec47c856ab2db56fc2aeb1d1973e605f3ad99687537f865b3c2cbe5a3d65a2e8c8bdc619aa37ac97eb6e59f1e1b8c3cd6f9ad346873d825b665
-
Filesize
31KB
MD5882956a359bba993badd30fda85bc232
SHA1d2eb13f54f7eef589aa3de784498473a143dfe72
SHA256859b26625286898328183fd299fb1f37278bbea294f58923fc8240afd2da00bf
SHA51213968f5d54f59601266265e619e4cca4bfdbaca608d8c097ee10575f7909b05e0fa6f45fc0b99f7f5f85db2929401306b25ae3c0abe5f88ed12751f5c9cffd31
-
Filesize
11KB
MD59785ae0c049dfc7ef7d091250963f083
SHA19fd85852bb484686cf17baffe2d46e714a981483
SHA256331c604b297b1d3b9a5087dab66df87c259ef6a7ac57a656d727783769ef8517
SHA512880d11353c98729a7d87d563e5d28e5123970528ab37e9b87985f69f94b68d998d3793e76dbfb467ee389fd8ac52f362989c77b9868e130d5573f452c5d15d79
-
Filesize
90KB
MD505cc077502e6849213ebaf215cd405cf
SHA1e3389a716bf67e5b1529c47edb5d7dd708e064dc
SHA2567e0092734bdb8182c79c06821018427803e39c97d77d58838c35e6fb7ff040f3
SHA512c274dfdd50af8fc8e1a0b31b93ead5ff942eb679ba8d969f17c241f5ae6ecbd19db5a8b3f69e9117f3258889afbec58c638f1888954fd5028be888b257904c40
-
Filesize
50KB
MD544bbd6106044f458a6376f8f73f233f0
SHA1770bb9161fcec36ad5dd418ae903abc251847f21
SHA256271a7d7ed64cd2128f3f2ab218a48bd62e5b7c4941e0753a632cd0cf49930f05
SHA51226a60e179dcd6790d756e521062499817de037a11d8e9992c596a60cb6785509aaddc9714fab47c048ea104df3bc696134d5ecaf54d70098576fb609b69586b2
-
Filesize
478KB
MD5545715f9edd6559d712774c5a56aeb18
SHA18fce54d6bdd247cd4191ed05944eb580e0aa2d6f
SHA25653ef3fc9d220f0280d8838a8fb35dd042d22b908cca6697e524b8103b8456c33
SHA512bbe54913f07362a1a8e1340681d00a72bd7af62f8d8f6ac9710e96a79517f010fc7dcda173307bbab025979c83a65d727f83b3308405bd849fa8e6f253af21e8
-
Filesize
138KB
MD516278f9126d6c344f8d38c2d847c63d1
SHA192434569a16cab0371fc583a461644ba944a8cd6
SHA256656067e924422a45897fed4eb916b7cfef4394b26667777080d8f81b386db47b
SHA512eb80a7918d5574d851d4980511c30df1285f1036a903680729c3bea795882d6f46dc0d18c37a4c7efa87bb69c08ee0fe90b86c2e63a00a404a9d81322ea3283f
-
Filesize
139KB
MD5220486757f7058d1ff73df0136296ee3
SHA156e9dedd165a7750718a2303e0f8b76dc19ad6f9
SHA2563409ec2788e9339fac7df9f8775463a4a532bd73915b6c18912c4e1fad236171
SHA5129002fbdf16a4264eed2b918949b3354f058125782760b12469e2ce9245a10c784c3aff79ca0d8e81338ab8bb32b9fca9e7af4e3e4104df13d7211528ca90df07
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
888KB
MD5ad2ccaab29318002cd1b01b97eb4af02
SHA144eebe4c043cdd3393038576ddbdd59a26d9c03d
SHA256bb1c808ad6d989df052a90e9a09d4e299c60c1a503310ed36e0281c97c37abed
SHA512b16e7d4ef5ac83ee1759599f85188ea062f79b6e57536a468808bab1c4ed5531f30010b0a7d43e1ea3b00a00bcef198dd8b9659e91fd776e96fd53860c04cea2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dg3cjlpy.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5c9cae141db4a5a0c00a45337dd9cd7ee
SHA131b66da6d65dc3561ddd711a0162b0777514f5f8
SHA256957f42ef73b26591b1c2b210e19bd2c2251405bc4178efd2694543f65911bd0d
SHA512224f8cf7a16e436b37d148e5aa37d1ea687a2e4f34d48c0d4c5bd992f3435d732c538b689e5d8606ebec017b1062262336765cfd1af9fc7a2f97d6c014d28815
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dg3cjlpy.default-release\datareporting\glean\pending_pings\497fd8f6-1333-4a12-95b9-beb531cfc427
Filesize982B
MD572b62478ed4090875b727a42977e9a9d
SHA14a703092b9ed751da8ecccd6ac17f44f8c819f5a
SHA2566c8958fd0ec1dd76a5e0ea160b1a167ad6a543d8d3055bde2ed90c1a14f5e3c9
SHA5128fcf10215749f347c1c2ea4a90daa5036df3bfed279ddec83a8279670698d7fdb25080716c93eba3ccd8082a35b7aef03b5bd872e97e08662a212675009f4a90
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dg3cjlpy.default-release\datareporting\glean\pending_pings\5d807bce-54c1-41ce-8c1e-d9747eaade04
Filesize26KB
MD5f1755f90b4e29fbd92c2f9577c2bfe3a
SHA1f91a0ed90805e3fb32cda2bb97b21a1358c18580
SHA2566ede5fd37edebf0d52571951c9bfe59cb359e0118b1fceb582e4cae73c01cf96
SHA512bff758719976a35db2e1ca9b91eadbb712bfc0775bc770373539f7299ec37b851dd7a3f6169f90f8c1eb942de30e174979278cc5c8e053f524d44f2a4dd5c322
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dg3cjlpy.default-release\datareporting\glean\pending_pings\5f684d88-c427-42d6-aa6a-ed0413f05e7f
Filesize671B
MD5bb23f4115111c4b7b9bee4f5cf6d2158
SHA16369b8b39c55279289ada370e917cd786ab9d573
SHA256cfe8ce6a843779660a8d5ad68c1786ced36ada4c87265701529e2b651fa9c125
SHA51274c72a56f1564f0df2b733c9a9b758ad44ae8f887accb88074adfeb10ddedff41d9422226f1e0ab619b35e4fca259c1a22d01057d4e19e16a90997a930762857
-
Filesize
9KB
MD54d2a979e1eca3a152360adc7e422ae5d
SHA17090720e4b2fc1e7702f82d9b3412b4c682a50ee
SHA256318a73c13f9f082274d24602a111ee6c089f4d128c122b64be0b432366e72fc9
SHA5126245e4fad4bc09cf54239ba0e6edef51e868c4471db966f9858f662dc8f8a6359475fc71072d8611d6befcd2aae9f24c9fc3e89df0bfc03a15375c64f72aaa9d
-
Filesize
9KB
MD52fc579e1324f1a9d2f9fa65f8ba7f989
SHA1a09cb241f00627427dacd8e6292e3414512f1f3a
SHA2561c7edc368b0f49142f3ef4b037a4aa518af7b946a270e21f4e8e00235519fecb
SHA5124d447feac712b73e90c7468f6476f31a792f649dd80947cc3cc928519ab9d949de50a48713e0b0f8c950c927dd29e1b363b3e00999b0f9b76899eae9e8e1afcb