Malware analysis https://graph.org/FREE-VALORANT-HACK-07-19-3 Malicious activity

Add for printing

URL:	https://graph.org/FREE-VALORANT-HACK-07-19-3
Full analysis:	https://app.any.run/tasks/28ba9ce3-559c-4057-816a-7b29cfcff480
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Malware Trends Tracker >>>
Analysis date:	July 19, 2023, 20:32:37
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	rat redline
Indicators:
MD5:	5C436A4355D31217EF27881BC7CB6EA7
SHA1:	C343AB178BF3C689EB3EDDCC36D5DFC54E0CE4FC
SHA256:	7BE5FC360020D6A73CF922E0808CC65A647B1684EE1BF596D3460BD1303CC7F1
SSDEEP:	3:N82EnijQhgqGp5Wn:22cijPrp5W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
PowerShell 7-x64 (7.2.11.0)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Connects to the CnC server
  - AppLaunch.exe (PID: 4876)
- Steals credentials from Web Browsers
  - AppLaunch.exe (PID: 4876)
- REDLINE was detected
  - AppLaunch.exe (PID: 4876)
- Application was dropped or rewritten from another process
  - injector.exe (PID: 4520)
- Actions looks like stealing of personal data
  - AppLaunch.exe (PID: 4876)
SUSPICIOUS
- The process creates files with name similar to system file names
  - WinRAR.exe (PID: 4264)
- Reads browser cookies
  - AppLaunch.exe (PID: 4876)
- Searches for installed software
  - AppLaunch.exe (PID: 4876)
- Connects to unusual port
  - AppLaunch.exe (PID: 4876)
INFO
- Checks supported languages
  - AppLaunch.exe (PID: 4876)
  - injector.exe (PID: 4520)
- Application launched itself
  - firefox.exe (PID: 2556)
- The process checks LSA protection
  - slui.exe (PID: 124)
  - AppLaunch.exe (PID: 4876)
- Manual execution by a user
  - WinRAR.exe (PID: 4264)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 4264)
- Reads the machine GUID from the registry
  - AppLaunch.exe (PID: 4876)
- The process uses the downloaded file
  - WinRAR.exe (PID: 4264)
  - firefox.exe (PID: 2556)
- Reads the computer name
  - AppLaunch.exe (PID: 4876)
- Reads Environment values
  - AppLaunch.exe (PID: 4876)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

124

C:\Windows\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll

272

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.12.1068154803\55613555" -childID 10 -isForBrowser -prefsHandle 7136 -prefMapHandle 7140 -prefsLen 31547 -prefMapSize 242647 -jsInitHandle 896 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {207554d4-b4af-45b1-b4f3-5d6249f93759} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 7124 26ae3e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

1912

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.6.1503329859\1947380226" -childID 4 -isForBrowser -prefsHandle 2216 -prefMapHandle 2204 -prefsLen 28631 -prefMapSize 242647 -jsInitHandle 896 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a43b6598-b44c-44de-bd8e-24ee73b4fe23} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 2264 d85e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

2460

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.5.1913081787\1751268074" -parentBuildID 20230710165010 -prefsHandle 2668 -prefMapHandle 2672 -prefsLen 25927 -prefMapSize 242647 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0139326-e067-4336-adb6-b55496a0a364} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 2616 d81258 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

2556

"C:\Program Files\Mozilla Firefox\firefox.exe" "https://graph.org/FREE-VALORANT-HACK-07-19-3"

C:\Program Files\Mozilla Firefox\firefox.exe

explorer.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

2576

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.0.1473837089\802537323" -parentBuildID 20230710165010 -prefsHandle 1528 -prefMapHandle 1320 -prefsLen 24055 -prefMapSize 242647 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d476f99a-0687-40ab-af4c-6f0409f7dfe1} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 1248 13c51b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\msvcp140.dll

2800

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.2.473134251\345421666" -childID 1 -isForBrowser -prefsHandle 2180 -prefMapHandle 2036 -prefsLen 23405 -prefMapSize 242647 -jsInitHandle 896 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1920584-30ca-4285-b6b7-921357a0d2b0} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 2192 145fd258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\msvcp140.dll

2824

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.13.366318526\1098959597" -childID 11 -isForBrowser -prefsHandle 7684 -prefMapHandle 7692 -prefsLen 31547 -prefMapSize 242647 -jsInitHandle 896 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7939780-a2a2-4775-bb70-2e1e93ee4bdd} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 7688 284c0258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

2872

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.7.875215885\1143543252" -childID 5 -isForBrowser -prefsHandle 2396 -prefMapHandle 2356 -prefsLen 28631 -prefMapSize 242647 -jsInitHandle 896 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4302565-ba33-4fbd-83ec-2b328b6d5d69} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 2040 16b55a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

2888

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2556.3.1065290155\2143685108" -childID 2 -isForBrowser -prefsHandle 2820 -prefMapHandle 2816 -prefsLen 25821 -prefMapSize 242647 -jsInitHandle 896 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e0bcf6c-5f25-4607-bf96-3c0e2f3f9971} 2556 "\\.\pipe\gecko-crash-server-pipe.2556" 2832 1b6c5d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

Add for printing

Total events

18 894

Read events

18 747

Write events

147

Delete events

Modification events


(PID) Process:	(2556) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Browser
Value: 0000000000000000
(PID) Process:	(2556) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Telemetry
Value: 1
(PID) Process:	(2556) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2556) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000008F000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2556) firefox.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\155\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2556) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|ScreenX
Value: 4
(PID) Process:	(2556) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|ScreenY
Value: 4
(PID) Process:	(2556) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Width
Value: 1152
(PID) Process:	(2556) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Height
Value: 622
(PID) Process:	(2556) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Maximized
Value: 0

Add for printing

Executable files

Suspicious files

607

Text files

188

Unknown types

Dropped files

PID	Process	Filename		Type
2556	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\webappsstore.sqlite-wal		—
		MD5:—	SHA256:—
2556	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\cookies.sqlite-shm		binary
		MD5:F18993A92ABC693AC86FCC5FB9AF1F6B	SHA256:E313AACBD11281EC67B7E8834BE1A125AE1BB65440BAB5EA7FADD43CC14268DC
2556	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20230710165010		text
		MD5:6467179A4324D9C6D134D26A808BD092	SHA256:6507CCA05311093F3498A47865BFB71D1586C61A02393E7987539E58574D0430
2556	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\extensions.json		text
		MD5:9D2F95C5091997A2B237D0530F53CB72	SHA256:2C06EFF08658AE2F6A83C890190646D5881F7771BF4017EA4EDC56EF39FAE2D5
2556	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\extensions.json.tmp		text
		MD5:9D2F95C5091997A2B237D0530F53CB72	SHA256:2C06EFF08658AE2F6A83C890190646D5881F7771BF4017EA4EDC56EF39FAE2D5
2556	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\compatibility.ini		text
		MD5:C6998EF9E767E571FE74299C971B9C98	SHA256:69C387E1BE9E3C5A5BE3B767F5734E7E31755B67C3F6F409D175FB9265D53F2E
2556	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\sessionCheckpoints.json		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2556	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal		—
		MD5:—	SHA256:—
2556	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\webappsstore.sqlite-shm		binary
		MD5:F5D5904A6B330DFDCF2FB10721D83634	SHA256:B6C2E3937FFCE52E774C335AD7CAF753BA1062B1419C99DED699A16F99BBC43C
2556	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\ls-archive-tmp.sqlite-journal		binary
		MD5:27490F6B65B22DFF76467FBDFEC0C9D6	SHA256:5359B7B219F9AADD1716BA6854AB24E4565FE50D6BC432A708F51E2422D6CAFB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

229

DNS requests

578

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2556	firefox.exe	POST	200	192.229.221.95:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted
2556	firefox.exe	POST	—	2.19.126.162:80	http://r3.o.lencr.org/	unknown	—	—	shared
2556	firefox.exe	POST	—	192.124.249.41:80	http://ocsp.godaddy.com/	US	—	—	whitelisted
2556	firefox.exe	POST	200	2.19.126.162:80	http://r3.o.lencr.org/	unknown	binary	503 b	shared
2556	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	US	text	90 b	whitelisted
2556	firefox.exe	POST	200	192.124.249.41:80	http://ocsp.godaddy.com/	US	der	2.06 Kb	whitelisted
2556	firefox.exe	POST	200	2.19.126.162:80	http://r3.o.lencr.org/	unknown	binary	503 b	shared
2556	firefox.exe	POST	200	192.229.221.95:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted
2556	firefox.exe	POST	200	2.19.126.162:80	http://r3.o.lencr.org/	unknown	der	503 b	shared
2556	firefox.exe	POST	200	192.229.221.95:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2556	firefox.exe	149.154.164.13:443	graph.org	Telegram Messenger Inc	GB	suspicious
2556	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
2556	firefox.exe	34.193.43.112:443	spocs.getpocket.com	AMAZON-AES	US	unknown
2556	firefox.exe	34.211.118.46:443	shavar.services.mozilla.com	AMAZON-02	US	unknown
2556	firefox.exe	34.149.100.209:443	firefox.settings.services.mozilla.com	GOOGLE	US	suspicious
2556	firefox.exe	34.117.237.239:443	contile.services.mozilla.com	GOOGLE-CLOUD-PLATFORM	US	suspicious
2556	firefox.exe	35.244.181.201:443	aus5.mozilla.org	GOOGLE	US	suspicious
2556	firefox.exe	52.24.231.34:443	location.services.mozilla.com	AMAZON-02	US	unknown
2556	firefox.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
detectportal.firefox.com	34.107.221.82	whitelisted
graph.org	149.154.164.13	suspicious
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
example.org	93.184.216.34	whitelisted
ipv4only.arpa	192.0.0.171 192.0.0.170	whitelisted
contile.services.mozilla.com	34.117.237.239	whitelisted
spocs.getpocket.com	34.193.43.112 54.88.103.11 3.229.237.11 3.229.85.40	shared
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com	3.229.85.40 3.229.237.11 54.88.103.11 34.193.43.112	shared
firefox.settings.services.mozilla.com	34.149.100.209	whitelisted
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	whitelisted

Threats

PID	Process	Class	Message
2556	firefox.exe	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
324	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
324	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
324	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
324	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
324	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
324	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
324	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
324	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
324	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup

Add for printing

No debug info

General Info

https://graph.org/FREE-VALORANT-HACK-07-19-3

5C436A4355D31217EF27881BC7CB6EA7

C343AB178BF3C689EB3EDDCC36D5DFC54E0CE4FC

7BE5FC360020D6A73CF922E0808CC65A647B1684EE1BF596D3460BD1303CC7F1

3:N82EnijQhgqGp5Wn:22cijPrp5W

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Connects to the CnC server

Steals credentials from Web Browsers

REDLINE was detected

Application was dropped or rewritten from another process

Actions looks like stealing of personal data

SUSPICIOUS

The process creates files with name similar to system file names

Reads browser cookies

Searches for installed software

Connects to unusual port

INFO

Checks supported languages

Application launched itself

The process checks LSA protection

Manual execution by a user

Executable content was dropped or overwritten

Reads the machine GUID from the registry

The process uses the downloaded file

Reads the computer name

Reads Environment values

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings