Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2024 12:05
Static task
static1
Behavioral task
behavioral1
Sample
4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe
Resource
win10v2004-20240802-en
General
-
Target
4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe
-
Size
1.8MB
-
MD5
f92bc75eb1dd5151fcda78609b39c232
-
SHA1
4f1fb77fdd542f67d30cb26acca5747c6e01890e
-
SHA256
4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379
-
SHA512
bca933fb39dc32726ca15f3ae6a3237b9b72f38b5535288d5062bd3b1b9cae8372f3ff1173785d4f7e6914af2a23689d2b41e0a8e2d291cf3c9da16ce6920bf6
-
SSDEEP
49152:oO5c9L38zV/FRevzokIcEQPHzIF+Lvnfs89O/eXHwlN2jmpVEdTea:d5cZ38bEvzoktUF+ffs8oD4m6Ka
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation svoutse.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe -
Executes dropped EXE 6 IoCs
pid Process 4584 svoutse.exe 5068 ee9218a39d.exe 448 e9488c3122.exe 532 e57bb73e4a.exe 1232 svoutse.exe 5864 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ee9218a39d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\ee9218a39d.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3312-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3312-49-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/3312-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 3904 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 4584 svoutse.exe 1232 svoutse.exe 5864 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5068 set thread context of 3312 5068 ee9218a39d.exe 93 PID 448 set thread context of 1892 448 e9488c3122.exe 96 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bb73e4a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee9218a39d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9488c3122.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3904 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 3904 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 4584 svoutse.exe 4584 svoutse.exe 1232 svoutse.exe 1232 svoutse.exe 5864 svoutse.exe 5864 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2612 firefox.exe Token: SeDebugPrivilege 2612 firefox.exe Token: SeDebugPrivilege 2612 firefox.exe Token: SeDebugPrivilege 2612 firefox.exe Token: SeDebugPrivilege 2612 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3904 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 2612 firefox.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe 3312 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2612 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3904 wrote to memory of 4584 3904 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 87 PID 3904 wrote to memory of 4584 3904 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 87 PID 3904 wrote to memory of 4584 3904 4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe 87 PID 4584 wrote to memory of 5068 4584 svoutse.exe 92 PID 4584 wrote to memory of 5068 4584 svoutse.exe 92 PID 4584 wrote to memory of 5068 4584 svoutse.exe 92 PID 5068 wrote to memory of 3312 5068 ee9218a39d.exe 93 PID 5068 wrote to memory of 3312 5068 ee9218a39d.exe 93 PID 5068 wrote to memory of 3312 5068 ee9218a39d.exe 93 PID 5068 wrote to memory of 3312 5068 ee9218a39d.exe 93 PID 5068 wrote to memory of 3312 5068 ee9218a39d.exe 93 PID 5068 wrote to memory of 3312 5068 ee9218a39d.exe 93 PID 5068 wrote to memory of 3312 5068 ee9218a39d.exe 93 PID 5068 wrote to memory of 3312 5068 ee9218a39d.exe 93 PID 5068 wrote to memory of 3312 5068 ee9218a39d.exe 93 PID 5068 wrote to memory of 3312 5068 ee9218a39d.exe 93 PID 4584 wrote to memory of 448 4584 svoutse.exe 95 PID 4584 wrote to memory of 448 4584 svoutse.exe 95 PID 4584 wrote to memory of 448 4584 svoutse.exe 95 PID 448 wrote to memory of 1892 448 e9488c3122.exe 96 PID 448 wrote to memory of 1892 448 e9488c3122.exe 96 PID 448 wrote to memory of 1892 448 e9488c3122.exe 96 PID 448 wrote to memory of 1892 448 e9488c3122.exe 96 PID 448 wrote to memory of 1892 448 e9488c3122.exe 96 PID 448 wrote to memory of 1892 448 e9488c3122.exe 96 PID 448 wrote to memory of 1892 448 e9488c3122.exe 96 PID 448 wrote to memory of 1892 448 e9488c3122.exe 96 PID 448 wrote to memory of 1892 448 e9488c3122.exe 96 PID 4584 wrote to memory of 532 4584 svoutse.exe 97 PID 4584 wrote to memory of 532 4584 svoutse.exe 97 PID 4584 wrote to memory of 532 4584 svoutse.exe 97 PID 3312 wrote to memory of 1140 3312 RegAsm.exe 100 PID 3312 wrote to memory of 1140 3312 RegAsm.exe 100 PID 1140 wrote to memory of 2612 1140 firefox.exe 102 PID 1140 wrote to memory of 2612 1140 firefox.exe 102 PID 1140 wrote to memory of 2612 1140 firefox.exe 102 PID 1140 wrote to memory of 2612 1140 firefox.exe 102 PID 1140 wrote to memory of 2612 1140 firefox.exe 102 PID 1140 wrote to memory of 2612 1140 firefox.exe 102 PID 1140 wrote to memory of 2612 1140 firefox.exe 102 PID 1140 wrote to memory of 2612 1140 firefox.exe 102 PID 1140 wrote to memory of 2612 1140 firefox.exe 102 PID 1140 wrote to memory of 2612 1140 firefox.exe 102 PID 1140 wrote to memory of 2612 1140 firefox.exe 102 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 PID 2612 wrote to memory of 3216 2612 firefox.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe"C:\Users\Admin\AppData\Local\Temp\4915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\ee9218a39d.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b643906-999f-457c-be6b-59c13dac40e2} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" gpu7⤵PID:3216
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2448 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f336a124-966a-4726-9e5e-b71f5de3679b} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" socket7⤵PID:1216
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 2772 -prefMapHandle 1392 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1280baf-ca85-42a5-8b06-e606428a36b1} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" tab7⤵PID:1104
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 2612 -prefMapHandle 2600 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e70f82c5-2ee4-4638-bddd-3f50d5e68ddf} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" tab7⤵PID:732
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4840 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4112 -prefMapHandle 4800 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2899e15-5475-458c-aa38-b7488258adc3} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" utility7⤵
- Checks processor information in registry
PID:5580
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4532 -childID 3 -isForBrowser -prefsHandle 5144 -prefMapHandle 5140 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60c73946-7092-4f8a-b379-317585506942} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" tab7⤵PID:6040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 4 -isForBrowser -prefsHandle 5312 -prefMapHandle 5320 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a018764a-6d6a-413c-abf5-d26bab94e508} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" tab7⤵PID:6052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 5 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {343597b4-16fc-44cf-8a4b-c206b94dba35} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" tab7⤵PID:6064
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6104 -childID 6 -isForBrowser -prefsHandle 6060 -prefMapHandle 6048 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8349fb11-74a5-433d-94bf-d604e985db39} 2612 "\\.\pipe\gecko-crash-server-pipe.2612" tab7⤵PID:5300
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\e9488c3122.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1892
-
-
-
C:\Users\Admin\1000003002\e57bb73e4a.exe"C:\Users\Admin\1000003002\e57bb73e4a.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:532
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1232
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5864
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json
Filesize31KB
MD56d4701e54c7df4e212adcd8a5803fd4b
SHA1160d08231e8b59fc347b30e935284d674dba6fd4
SHA256fab90317f059cc23c7731971c2aa7fb3760b6fa0d4045457b2fccec40020aa82
SHA512b11a893a73401a423fdcaeb57eed9ff96011a609e6944722b154569431b425d6ad59f9b2943ff33ebaffdeedd5d68bcf32d63cee3bf9764d36bcd9d14d9f6ffe
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5f788207383b84a1f59439ae930436bc9
SHA1cb12089b6efbb8d7b460d59f4cd1bd68dd7ce1f8
SHA2563712415467172ac552d74c1aa7005106c2851a71cd093b02ebe09b0b7302ae49
SHA512ba34c0f112355a424621bc6c5dcfd8f0b0b48cb4e8d1faa6df0c5bb8377da4dfc1d363e4f18ff73b28b22f20dc0efcbd546895057897bd23a09b84403d1a90bc
-
Filesize
1.8MB
MD5f92bc75eb1dd5151fcda78609b39c232
SHA14f1fb77fdd542f67d30cb26acca5747c6e01890e
SHA2564915081771c7c2ec5f4154e7ab178a1fb9a4da9af726490b19ddd6c45b1dc379
SHA512bca933fb39dc32726ca15f3ae6a3237b9b72f38b5535288d5062bd3b1b9cae8372f3ff1173785d4f7e6914af2a23689d2b41e0a8e2d291cf3c9da16ce6920bf6
-
Filesize
1.2MB
MD5308d0996727a81dfcb72a69e1a132108
SHA19b48220c70d23d2022dd33b142ba6ff8f878c7e6
SHA25676a0ee2a9aca627171bad5a4be2029e87eefed2cbb7c63532c3d4f5ca53e2e88
SHA51265503827ac96c6a81c6ab6a6428286b6b43fd78ded0ec255e21ca3d6f2f4ce8f2fb4f3167afcfd7c6e9b997dd448c937bea01b676f645f33dfe4fd9b88ad2c25
-
Filesize
196KB
MD5aa217dbf9cb8080176f0bae19edc6305
SHA11753b00e1dddb7d9635ad0e9d285907445cc70b6
SHA256fe1358ad307faa38e2a7d3e26de443330a6af65499cb1e7490e8f2ba772a8844
SHA5120beae14810a852de0449675577854fe68947ffe30de89488e71b5ed8c63ac21d88d20b23d3614441aae7de40ad6bea12dbe4278af870defef85457478a6b56ab
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin
Filesize10KB
MD5c0a029a882be18f6208559a838e64b07
SHA1ca839ec4f015cd5ea2e4c5f94e80662e9a4207a6
SHA256f7c44e9029f739848fd1c1ee78c23ae95ce3f7b41d7dce90234d64d4bcf2ccd2
SHA512040ea16b442a157397a05b5be1718ae19262879cf42c278a5fe390d0a3899e783bde45d6158afb719d706340d47d0b9324cf3a679f7f812a55f78767bac69953
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD565c25def4b0593ea8bb743b248701848
SHA15153da18cfd5cb935cd4a7816d615aaae6621e16
SHA2563875e035b5eeaddc47cd4573b7fc93f347ebe59ad7a3ef2fe08dabff0e618025
SHA5122f5ade4f4dc2d7a8fbd8a0e69bac7aa9626f7b897127872888a502688ac7f32678747f043845d410a61f18d4a0e404c4bf82ac7a056b410c2e44f8ddc46c35ee
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD590e2f62de995bd1a4aaae4ade49a26b9
SHA16fb5feb4d3dd65f3bf62a60a71cad4d9e123a079
SHA2561ae3d0302b137446e2191348ed21f153444a51fe8f9619249ba14624d8518500
SHA51204aad8e5021178cacf2a45b960c9b18835e73775f237c4c5e1a3f4f42a56c80bf1fd3da54438efbba16e71853d69ea6bcc47ab222c2500449ed82946a06f0115
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5aeefc3e8ba45bed48364644558e583d6
SHA13dc488eb9e39ba4375e7d17fad19a79be091968a
SHA256e819aa410af20bd8318ccfebf3ef4f7a28bec2bcd367be2ce8122f302b261100
SHA5125a3862f847c0573b018a452c6a13e43317278ee1c36b0d5b55114bc94f6b015c1230b6d7b0df389aee13bdbf2b345d0d09c4843e74eefb9cc19cfa68fe9ee0c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\186f8284-c5ea-4ea1-b7aa-ea14b309b724
Filesize982B
MD582b5f9cc4441c29f7e5ef1b5ac92a1c4
SHA1ef48236ca41cb594d802b0a6f4cbe1d23e2e88bb
SHA25602334bd7910469b4515004ac7db42e16274c59cf7983d6326ff61a0d405b4a6c
SHA51247c567f9661e1a0255c6e6fb9e7b0d5495419bd6595faafba95600335b9f734e4d267a2bb00cf706b7ab721b519d1fdce01998e37ff027056505d4e79680b513
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\75c648d6-dc2d-4174-8eac-c87cd3c127fa
Filesize27KB
MD56711ba58569128b7989e5feae1c47346
SHA1f5c6de99e807681c53afe0ae07cbfa8e1d5a5c89
SHA25657c7ba60544f625675586deb78f76639fc530a298e3eb404b82cde0111b81f16
SHA512981a1deb77f2107b61b971f3b010025a0a699ca214c271c3dcf9934b7c0b8abc88697022be0771f7c8e36cf6ae4c2a59071796e308ff3dd493baf6dff9823c3b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\e9b5f995-cbad-45fd-9cab-4a0c69182231
Filesize671B
MD5f023d20ddfec22a9ebf0e4b49fcacff8
SHA16e6889468737fbdcb3eb255cecc7d0d6e46a5520
SHA25652d8b5d0a9f4f4d9b1add503c2775d3be45341735e30eae8f26e376781555570
SHA512a1e847ee368c6d0b044f8e0872748818b3e6e0477764ed5cadfda34a21183895be0ce726225b31aed7f5be1bd6be4d0f39c280448827c6c891fcc0e7ab55ebe6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD51d49d2d61297f3581a53b2c8bc9922d1
SHA1bcfe06a27522efb7db39ce81c22f5c5732e99be1
SHA256f805f21e3f289c0a2723c306775dcb94432806c8bfb93b7c5384b7188152917c
SHA512ca734e370e208eccb67a955047ad00ab2c485ff9cc034b80a7d2433e7730aa0dd6b5748c693e088de15864831e7b71d3c49c849c91f5b2ce5a6aeeef25ba110e
-
Filesize
12KB
MD5d7922bb8da410feda9fbc8e849832123
SHA172c25bba75290046cac72302a865fb1c9b690f85
SHA2560d4642a64a871de6b99f43353c08fd8a3aa93e82d45e5019e6ef96a4287106ba
SHA512d33c91976f7449b9e6fa8cceedfa3a45e2a45665560543ffd187379717243a23bd86c2999b8ae2e47a1f8a674f81ef3668cf7692732560658ebac0cafe2c94a4
-
Filesize
15KB
MD5d5853c848700c6188494cb47cf85f7e4
SHA1376690893dfb33e80e77fdb7f8805ab172d97ed8
SHA25662e3a0c944d4f5817239130281a4672b06a59e7d9deeacb91ac151b7cf918192
SHA512314a5307af8e8e9235933b881242cc9e5a3ede4fc74cc50cc94a41b50c9c8ec98255d424439b573af6fcb42e263f5754ba8282d43e57cf15df88be6128ff3e50
-
Filesize
11KB
MD5bf7f13087560f01e85854d28c23e39fa
SHA1a889667540f0a43a5deff1ffb5227db7bb64a9fa
SHA256c12dc5f43ae5f140cd9677aff3a480a6f4caeb64c1455e181729664c00f5aa3b
SHA5121c537dd9aad40e283e34b4f6421b4b693001e11a0d2dc7cf5cc591ef70d3318f813889d3c1b77e3709ac5588c6f2fe1a4e3c28016650d133abe13a9e6f4e4da1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5e33b2ddbd7db3b12b9f76a1662fe13a8
SHA1b36ae8bce6af2ef854a8ebb262cc35d52dc784ae
SHA25604d6323acc0d9cc9e3f9341b7f761124b4677333ffa6485b7b4440b4011e841c
SHA51247b4277e2c7e9dda2270f7d26e76e78304c0998f55030ded3ffa51a3b6225bf4ad798bcdfa70f8e1a329957c5ca08f1ee8bf5dba2572098178ffed92caa83723
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD5de048050d898cf982c474046693624e9
SHA19a1af5fd1525cb291eca1b22636c03b14fca6c47
SHA2564770cf05422df831f237fd7f9d56b7868369f81a86f45d36e8aa55e999c2d4dc
SHA512fc46afbee5f1cbfb258f4f26b8aa84eb38d16816454bb6ad6d08fb5bba3a3df2e4d0d8376971c0f111e4b20bdd1ee836f1e48e2cb92c4cdabc40c8362da0cb5b